Login Sign Up

CVE-2015-9059

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2015-9059 is a command injection vulnerability in picocom's 'send and receive file' command that allows arbitrary command execution via shell injection. This affects all picocom users before version 2.0 who use the file transfer functionality. Attackers can execute commands with the privileges of the picocom process.

💻 Affected Systems

Products:
  • picocom
Versions: All versions before 2.0
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the file transfer functionality; systems not using this feature may still be vulnerable if the command is accessible.

📦 What is this software?

Picocom by Picocom Project

View all CVEs affecting Picocom →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges if picocom runs as root, allowing complete control over the affected system.

🟠

Likely Case

Arbitrary command execution with user privileges, potentially leading to privilege escalation, data theft, or lateral movement.

🟢

If Mitigated

Limited impact if picocom runs with minimal privileges and network access is restricted.

🌐 Internet-Facing: MEDIUM - picocom is typically used for serial communication, not directly internet-facing, but could be exposed via network serial servers.
🏢 Internal Only: HIGH - If used internally with vulnerable configurations, attackers with network access could exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to picocom's command interface; public exploit code exists in commit references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0 and later

Vendor Advisory: https://github.com/npat-efault/picocom/commit/1ebc60b20fbe9a02436d5cbbf8951714e749ddb1

Restart Required: No

Instructions:

1. Update picocom to version 2.0 or later. 2. For Debian/Ubuntu: apt-get update && apt-get install picocom. 3. For source: git clone https://github.com/npat-efault/picocom && cd picocom && make && sudo make install.

🔧 Temporary Workarounds

Disable file transfer functionality

linux

Remove or restrict access to the vulnerable 'send and receive file' command.

chmod -x /usr/bin/picocom (if not needed)
Use alternative serial tools like minicom

Run with minimal privileges

linux

Execute picocom as non-root user to limit potential damage.

sudo -u nobody picocom [options]

🧯 If You Can't Patch

  • Restrict network access to systems running picocom using firewall rules.
  • Monitor for unusual process execution from picocom sessions.

🔍 How to Verify

Check if Vulnerable:

Check picocom version: picocom --version | grep -q '^picocom 1' && echo 'VULNERABLE'

Check Version:

picocom --version

Verify Fix Applied:

Verify version is 2.0 or later: picocom --version | grep -q '^picocom 2' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution from picocom process
  • Shell commands in picocom logs

Network Indicators:

  • Unexpected network connections from systems running picocom

SIEM Query:

process.name='picocom' AND command_line CONTAINS ';' OR command_line CONTAINS '|' OR command_line CONTAINS '&'

📊 Metadata

CVE ID: CVE-2015-9059
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: May 28, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9059, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)