📄 Description (English)
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.
🤖 AI Executive Summary
NetBox versions 4.3.5-4.5.4 contain a critical remote code execution vulnerability in template rendering that allows authenticated users with specific permissions to execute arbitrary code by bypassing Jinja2 sandbox protections. The vulnerability exploits the finalize parameter to invoke dangerous Python callables like subprocess.getoutput, executing commands as the NetBox service user. This poses significant risk to organizations using NetBox for infrastructure management, particularly in critical sectors managing network and IT assets.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 03:06
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using NetBox for network and infrastructure management face significant risk, particularly: (1) Government entities and NCA using NetBox for IT asset management and network documentation; (2) ARAMCO and energy sector organizations managing critical infrastructure configurations; (3) Banking and financial institutions (SAMA-regulated) using NetBox for network infrastructure; (4) Telecom operators (STC, Mobily, Zain) managing network assets; (5) Healthcare organizations managing medical device networks. The vulnerability allows lateral movement and privilege escalation within critical infrastructure, potentially compromising confidentiality, integrity, and availability of essential services.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Energy and Utilities
Telecommunications
Healthcare
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all NetBox instances running versions 4.3.5-4.5.4 in your environment
2. Restrict access to users with exporttemplate and configtemplate permissions immediately
3. Review audit logs for suspicious template modifications or exports
4. Disable template export functionality if not critical to operations
PATCHING GUIDANCE:
1. Upgrade to NetBox version 4.5.5 or later when available
2. Monitor NetBox GitHub repository and security advisories for patch release
3. Test patches in non-production environment before deployment
4. Plan maintenance window for production upgrades
COMPENSATING CONTROLS (until patch available):
1. Implement network segmentation to restrict NetBox access to authorized personnel only
2. Deploy Web Application Firewall (WAF) rules to monitor template-related API endpoints
3. Implement strict input validation on environment_params field
4. Disable Jinja2 finalize parameter functionality at application level if possible
5. Monitor subprocess and command execution attempts from NetBox service user
6. Implement file integrity monitoring on NetBox configuration files
DETECTION RULES:
1. Monitor for API calls to /api/dcim/export-templates/ and /api/extras/config-templates/ endpoints
2. Alert on environment_params field modifications containing 'subprocess', 'getoutput', 'system', 'popen'
3. Monitor NetBox service user process execution for unexpected child processes
4. Track failed and successful template rendering operations
5. Monitor for Python import statements in template parameters
6. Alert on finalize parameter usage in template configurations
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ NetBox التي تعمل بالإصدارات 4.3.5-4.5.4 في بيئتك
2. تقييد الوصول للمستخدمين الذين لديهم صلاحيات exporttemplate و configtemplate فوراً
3. مراجعة سجلات التدقيق للتعديلات أو التصديرات المريبة للقوالب
4. تعطيل وظيفة تصدير القوالب إذا لم تكن حرجة للعمليات
إرشادات التصحيح:
1. الترقية إلى إصدار NetBox 4.5.5 أو أحدث عند توفره
2. مراقبة مستودع NetBox GitHub والتنبيهات الأمنية لإصدار التصحيح
3. اختبار التصحيحات في بيئة غير الإنتاج قبل النشر
4. تخطيط نافذة صيانة لترقيات الإنتاج
الضوابط البديلة (حتى توفر التصحيح):
1. تطبيق تقسيم الشبكة لتقييد وصول NetBox للموظفين المصرح لهم فقط
2. نشر قواعد جدار حماية تطبيقات الويب لمراقبة نقاط نهاية API المتعلقة بالقوالب
3. تطبيق التحقق الصارم من المدخلات على حقل environment_params
4. تعطيل وظيفة معامل finalize في Jinja2 على مستوى التطبيق إن أمكن
5. مراقبة محاولات تنفيذ subprocess والأوامر من مستخدم خدمة NetBox
6. تطبيق مراقبة سلامة الملفات على ملفات تكوين NetBox
قواعد الكشف:
1. مراقبة استدعاءات API إلى نقاط نهاية /api/dcim/export-templates/ و /api/extras/config-templates/
2. تنبيه على تعديلات حقل environment_params التي تحتوي على 'subprocess' أو 'getoutput' أو 'system' أو 'popen'
3. مراقبة تنفيذ العمليات لمستخدم خدمة NetBox للعمليات الفرعية غير المتوقعة
4. تتبع عمليات تصريف القوالب الفاشلة والناجحة
5. مراقبة بيانات استيراد Python في معاملات القالب
6. تنبيه على استخدام معامل finalize في تكوينات القالب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Authorization and access control
A.6.2.1 - User access management
A.8.1.1 - Audit logging and monitoring
A.12.4.1 - Event logging
A.14.2.1 - System development and maintenance controls
🔵 SAMA CSF
ID.AM-2 - Software platforms and applications are inventoried
PR.AC-1 - Identities and credentials are issued and managed
PR.AC-4 - Access rights are managed
DE.CM-1 - The network is monitored for unauthorized connections
DE.AE-1 - A baseline of network operations and expected data flows is established
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.6.1 - Screening
A.6.2 - User access management
A.8.1 - User endpoint devices
A.8.2 - Privileged access rights
A.12.4 - Logging
A.14.2 - Security in development and support processes
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://chocapikk.com/posts/2026/netbox-export-template-rce/
disclosure@vulncheck.com
https://github.com/netbox-community/netbox/issues/22079
disclosure@vulncheck.com
https://github.com/netbox-community/netbox/pull/22078
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin
disclosure@vulncheck.com