A remote code execution flaw affects Network UPS Tools, the widely used NUT monitoring suite. The bug, CVE-2026-54161, carries a CVSS score of 8.1. It can run commands as root on the monitoring host, and no fixed release exists yet.
Why This Network UPS Tools RCE Matters
NUT ships with most Linux distributions and many appliances. Storage, virtualization, and automation vendors bundle it too. As a result, this Network UPS Tools RCE reaches a broad base of servers.
The upsmon client often runs as root to manage safe shutdowns. Therefore, a successful attack can hand over the whole host.
How the Attack Works
upsmon trusts the values that its upsd server returns. One value, ups.alarm, is not sanitized before use. When a UPS reports an alarm, upsmon passes that text into a shell command run through system().
If the operator enabled NOTIFYCMD with EXEC on the ALARM event, shell metacharacters in ups.alarm run as commands. This upsmon command injection then executes as the upsmon user. That user is usually root.
Who Can Trigger It
An attacker must control the alarm value. A malicious or compromised upsd qualifies. So does a man-in-the-middle on the plaintext link, or a rogue UPS device. The device vector sits upstream of upsd, so TLS there does not stop it.
Affected Versions
This Network UPS Tools RCE affects NUT 2.8.3, 2.8.4, and 2.8.5, plus current git master. Versions 2.8.2 and earlier stay safe. The alarm handling that caused the bug arrived in 2.8.3.
Patch and Mitigation
No patched release exists at publication, though a fix sits in upstream pull request #3499. A public proof-of-concept appears in the official GitHub advisory, yet no in-the-wild abuse has surfaced. Until a release ships, drop EXEC from the ALARM notify flag, lock down the upsd network, and treat every ups.* value as untrusted.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.