Back to KEVs

CVE-2019-16278

Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted...

Basic Information

CVE State
PUBLISHED
Reserved Date
September 13, 2019
Published Date
October 14, 2019
Last Updated
November 07, 2024
Vendor
n/a
Product
n/a
Description
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5 -

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2024-11-07 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2022-03-24 12:06:55 UTC) Source

References

http://www.nazgul.ch/dev/nostromo_cl.txt https://sp0re.sh https://git.sp0re.sh/sp0re/Nhttpd-exploits http://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html http://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-11-07 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/nostromo_code_exec.rb 2025-04-29 11:01:22 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-16278.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

nostromo_code_exec

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-16278

alexander-fernandes/CVE-2019-16278

Type: github • Created: 2022-03-24 12:06:55 UTC • Stars: 0

A quick python exploit for the Nostromo 1.9.6 remote code execution vulnerability. Only takes in host and port of web server as required arguments.

n3rdh4x0r/CVE-2019-16278

Type: github • Created: 2021-07-19 00:45:07 UTC • Stars: 0

NHPT/CVE-2019-16278

Type: github • Created: 2020-01-01 13:28:40 UTC • Stars: 0

CVE-2019-16278:Nostromo Web服务器的RCE漏洞

aN0mad/CVE-2019-16278-Nostromo_1.9.6-RCE

Type: github • Created: 2019-11-26 14:15:44 UTC • Stars: 6

Python script to exploit RCE in Nostromo nhttpd <= 1.9.6.

AnubisSec/CVE-2019-16278

Type: github • Created: 2019-11-22 18:35:14 UTC • Stars: 8

A quick python exploit for the Nostromo 1.9.6 remote code execution vulnerability. Simply takes a host and port that the web server is running on.

ianxtianxt/CVE-2019-16278

Type: github • Created: 2019-10-15 12:47:59 UTC • Stars: 2

CVE-2019-16278Nostromo httpd命令执行

imjdl/CVE-2019-16278-PoC

Type: github • Created: 2019-10-15 09:22:36 UTC • Stars: 8

CVE-2019-16728 Proof of Concept

jas502n/CVE-2019-16278

Type: github • Created: 2019-10-15 03:40:13 UTC • Stars: 69

Directory transversal to remote code execution