Rapid7 Vulnerability & Exploit Database

OpenNMS Authenticated XXE

Back to Search

OpenNMS Authenticated XXE



OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface. Although this attack requires authentication, there are several factors that increase the severity of this vulnerability. 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the core of OpenNMS is that these components need to run as root to be able to bind to low-numbered ports or generate network traffic that requires root" 2. The user that you must authenticate as is the "rtc" user which has the default password of "rtc". There is no mention of this user in the installation guides found here: http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default admin password of "admin" for security purposes.


  • Stephen Breen <breenmachine@gmail.com>
  • Justin Kennedy <jstnkndy@gmail.com>



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/gather/opennms_xxe
msf auxiliary(opennms_xxe) > show actions
msf auxiliary(opennms_xxe) > set ACTION < action-name >
msf auxiliary(opennms_xxe) > show options
    ...show and set options...
msf auxiliary(opennms_xxe) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security