H3-2026-0016¶

Net-SNMP EXTEND-MIB Read/Write Access Remote Code Execution

Description¶

Where Net-SNMP agents are configured to allow read/write access via community strings, this setting enables remote attackers to abuse the NET-SNMP-EXTEND-MIB (management information base) to configure arbitrary command execution. By setting the nsExtendCommand and nsExtendArgs object identifiers (OIDs) via SNMP SET operations, an attacker can execute arbitrary system commands on the target host.

Impact¶

An attacker with knowledge of a read/write SNMP community string can achieve remote code execution as the user running the Net-SNMP daemon, leading to host compromise. This daemon is often an unprivileged service account like snmp or Debian-snmp, but can sometimes be root.

References¶

• NET-SNMP-EXTEND-MIB Documentation
• Net-SNMP: Extending snmpd Using Shell Scripts
• MITRE ATT&CK Technique: T1059.004: Command and Scripting Interpreter: Unix Shell
• Metasploit: Metasploit: Net-SNMPd Write Access SNMP-EXTEND-MIB Arbitrary Code Execution