Description
A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py.
Published: 2026-05-08
Score: 7.3 High
EPSS: 59.5% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection vulnerability exists in the payload build page of BYOB (Build Your Own Botnet) version 2.0. By manipulating the build parameter, an attacker can cause the server to execute arbitrary operating‑system commands as the web application user. This flaw permits remote code execution, potentially compromising the entire host system. The weakness is a classic command injection flaw classified as CWE-77.

Affected Systems

The affected product is BYOB (Build Your Own Botnet) 2.0, an open‑source tool for building botnet payloads. No other product versions are listed as vulnerable. Vendor information was not provided by the CNA, so the assessment is limited to the BYOB identifier and its core/generators.py module.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, and the EPSS score of 60% reflects a relatively high probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is the public or unprotected payload build endpoint, which an attacker can access without authentication. When triggered, the flaw allows execution of arbitrary commands with the privileges of the web application process, leading to full compromise of the host. Additional exploitation requires only network connectivity to the target system and the ability to send a crafted build request.

Generated by OpenCVE AI on May 29, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If immediate patching is not possible, restrict access to the payload build page using firewalls or network segmentation to limit exposure until remediation is applied.
  • Implement input validation on the build parameter, ensuring only expected values are accepted or properly sanitizing any user‑supplied data before expansion into system calls, thereby mitigating command injection.
  • Check the BYOB project’s GitHub releases or community advisories for updates that address the issue, and apply them as soon as they become available.

Generated by OpenCVE AI on May 29, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Command Injection in BYOB Payload Builder Enabling Remote Code Execution

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Command Injection in BYOB Payload Builder Enabling Remote Code Execution

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Malwared
Malwared byob
Vendors & Products Malwared
Malwared byob

Sat, 09 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection via Payload Build Parameter in BYOB 2.0

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Command Injection via Payload Build Parameter in BYOB 2.0

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in BYOB Payload Builder
Weaknesses CWE-78

Fri, 08 May 2026 07:15:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in BYOB Payload Builder
Weaknesses CWE-78

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py.
References

Subscriptions

Malwared Byob
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T17:43:08.428Z

Reserved: 2024-08-25T00:00:00.000Z

Link: CVE-2024-45257

cve-icon Vulnrichment

Updated: 2026-05-08T17:43:02.888Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T06:16:09.687

Modified: 2026-05-08T18:16:32.337

Link: CVE-2024-45257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T16:00:15Z

Weaknesses