← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:41028 · Disclosed 1998-11-17

SNMP Agent Default Community Name

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a building directory left in the lobby, not the master key cabinet

Tenable plugin 41028 fires when an SNMP agent answers to the default read community string public, mapping to CVE-1999-0517. There is no product-specific vulnerable version range here: any device, server, printer, UPS, switch, router, or appliance running SNMPv1/v2c and still accepting public is affected. In practice this usually means read access to MIB data such as system description, interface inventory, routing details, ARP tables, software hints, and other reconnaissance-friendly metadata over UDP/161.

The vendor's HIGH label overstates reality for most enterprise estates. The decisive friction is reachability: SNMP is commonly limited to management VLANs, source-IP ACLs, or internal monitoring zones, which means the attacker often already needs internal network access before this matters. Impact is also usually *information disclosure*, not remote code execution; public is conventionally read-only, and actual config changes usually require a separate write community like private or an additional misconfiguration.

"Easy to probe, but usually post-compromise or management-plane only; this is a misconfiguration problem, not a true HIGH-severity bug."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an SNMP-speaking target with reachable UDP/161

An attacker starts with nmap -sU -p 161 or an exposure index such as Shodan/Censys to identify hosts answering on SNMP. This is trivial on the public internet and equally easy from an internal foothold. The toolchain is commodity and noisy, not sophisticated.
Conditions required:
  • UDP/161 must be reachable from the attacker's network position
  • The target must actually run SNMP
Where this breaks in practice:
  • Many enterprises bind SNMP to management networks only
  • Per-device ACLs often allow polling only from NMS collectors
  • Internet-facing SNMP is far less common on managed enterprise endpoints than on appliances or edge gear
Detection/coverage: External scanners and ASM products reliably detect UDP/161 exposure. Nessus can identify this remotely; Nmap, Censys, and Shodan also cover the exposure precondition well.
STEP 02

Test the default community string public

Using snmpwalk, onesixtyone, or Metasploit's snmp_login, the attacker sends a basic SNMPv1/v2c query with community public. If the agent responds, the finding is real: authentication is effectively guessable because the default is globally known.
Conditions required:
  • SNMPv1 or SNMPv2c must be enabled
  • The device must still accept public
  • Any SNMP ACL must permit the attacker's source IP
Where this breaks in practice:
  • SNMPv3-only deployments stop this cold
  • Read community may be changed from public even if SNMP stays enabled
  • ACLs may permit the NMS but block arbitrary hosts on the same network
Detection/coverage: Credentialed config audits catch this better than blind vuln scans. Remote validation is straightforward if you can reach the host and send SNMP queries.
STEP 03

Enumerate operational data for recon and pivoting

Once public works, snmpwalk can dump system and network metadata that materially improves post-compromise navigation: hostnames, interface maps, route tables, neighbor clues, software banners, printer/share details, and other MIB content. This often shortens time-to-objective for lateral movement even when it does not provide direct code execution.
Conditions required:
  • The accepted community must have read permissions to useful OIDs
  • The device must expose meaningful MIB data
Where this breaks in practice:
  • Some agents expose only limited MIB views
  • Read-only access does not itself change configuration
  • Impact is per-device and management-plane scoped unless the attacker can chain the intel into something else
Detection/coverage: SNMP query volume, unusual source IPs, and broad MIB walking can be seen in firewall, NDR, or device logs when enabled, but many environments have weak SNMP telemetry.
STEP 04

Chain the intel into broader compromise

The real weaponization is indirect: the attacker uses the recovered inventory and topology to target credentials, admin interfaces, routing choke points, or vulnerable firmware next. If the same environment also exposes a write community or weak management segregation, snmpset becomes a separate escalation path, but that is beyond what plugin 41028 alone proves.
Conditions required:
  • The attacker must have follow-on access or another exploitable weakness to chain from the leaked data
  • Operational metadata must reveal something actionable
Where this breaks in practice:
  • This plugin does not prove write access
  • This plugin does not prove internet reachability
  • This plugin does not prove a full host compromise path by itself
Detection/coverage: Most scanners stop at validation of public; chaining activity is what EDR, IAM telemetry, and network segmentation controls are meant to catch.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence that CVE-1999-0517 is in CISA KEV, and I did not find a modern named campaign centered on this CVE alone. Real-world use is better understood as *routine opportunistic SNMP enumeration* rather than a standalone intrusion vector.
Proof-of-concept / toolingCommodity tooling is abundant: snmpwalk from Net-SNMP, Trail of Bits' onesixtyone, and Metasploit SNMP login/enumeration modules all support trivial validation.
EPSSTenable's CVE page shows EPSS 0.91998 for CVE-1999-0517. Treat that cautiously: this is a very old, generic configuration weakness, so the score reflects exploit *observability / prevalence* more than high-consequence compromise.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS baselineLegacy CVSS v2 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) assumes network reachability and partial CIA impact. In practice that model is too generous because public is usually read-only and often reachable only from management networks.
Affected scopeAny SNMP agent using SNMPv1 or SNMPv2c with community public is affected. This is configuration-driven, not tied to a single vendor release train.
Fixed stateThere is usually no patch version. The fix is to disable unused SNMP, change the default community, restrict poller source IPs with ACLs, or migrate to SNMPv3 with authentication/privacy.
Exposure dataShodan's public port summary showed about 3,025,902 hosts with UDP/161 (snmp) at crawl time, which confirms broad global exposure of the protocol. That does not mean all exposed SNMP services accept public, but it does show the reachable population is non-trivial.
Disclosure timelineNVD lists CVE-1999-0517 as published 1997-01-01; Tenable lists vulnerability publication 1998-11-17; Nessus plugin 41028 was published 2002-11-25 and updated 2022-06-01.
Reporting / source lineageThe issue class is tracked by MITRE/NVD as CVE-1999-0517; Tenable operationalizes it in plugin 41028 with current VPR 5.2 / Medium, which already hints the vendor's newer prioritization is lower than the historical HIGH badge.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (4.8/10)

The single biggest downward driver is attacker position: in most enterprises, SNMP is not broadly reachable from the internet or user subnets, so exploitation usually assumes the adversary is already on a management path or inside the network. The second limiter is impact: public commonly yields read-only telemetry and reconnaissance value, not direct remote takeover.

HIGH Vendor `HIGH` is overstated for enterprise-wide patch prioritization
MEDIUM Typical real-world impact is reconnaissance and metadata leakage
MEDIUM Exposure varies sharply by network architecture and device class

Why this verdict

  • Baseline down from vendor: Tenable tags the plugin HIGH, but its own VPR is only 5.2 / Medium, which better matches modern exploitation reality.
  • Attacker position required: if UDP/161 is restricted to management VLANs or NMS collectors, this is a *post-initial-access* finding. Requiring internal network position compounds downward pressure on severity.
  • Exposure population narrows fast: yes, SNMP exists on millions of internet-visible systems globally, but within a mature enterprise fleet only a minority of assets should expose it outside management zones.
  • Modern controls should stop step 1: NGFW rules, infrastructure ACLs, and segmentation should block arbitrary source access to SNMP. If they do, the reachable population collapses.
  • Impact is usually read-only: public normally means information disclosure, not configuration change. The scarier integrity story usually needs a separate write community like private, which this plugin does not establish.

Why not higher?

This is not unauthenticated remote code execution, and it is not even guaranteed broad unauthenticated remote access in a real estate. The attack path commonly requires management-plane reachability, and the proven outcome is typically data exposure that supports later stages rather than immediate compromise of a 10,000-host estate.

Why not lower?

It still deserves attention because validation is nearly frictionless when reachable, and the leaked data can be operationally valuable to an intruder. On internet-exposed network gear, printers, UPSes, or OT-adjacent devices, public remains a very real reconnaissance amplifier.

05 · Compensating Control

What to do — in priority order.

  1. Restrict SNMP to named pollers — Apply source-IP ACLs on devices and firewalls so only approved monitoring servers can reach UDP/161. For a MEDIUM finding there is no mitigation SLA; do this as part of the 365-day remediation window, but prioritize any internet-facing or flat-network devices first because segmentation is the control that most sharply reduces exploitability.
  2. Disable SNMP where it is unused — Remove the service entirely from printers, appliances, lab gear, and legacy servers that are not actively monitored. There is no noisgate mitigation deadline for MEDIUM; fold this into normal config-hardening cycles inside the remediation window.
  3. Move to SNMPv3 — Where platforms support it, migrate from SNMPv1/v2c to SNMPv3 with auth/privacy so community-string guessing and cleartext polling go away. This is the durable fix, especially for core network and security infrastructure, and should be completed within the remediation window.
  4. Rotate default communities — Change public to a unique read-only string only if SNMPv3 migration is not immediately possible, and verify monitoring platforms are updated in lockstep. This reduces blind scanner hits, but remember it is still weaker than SNMPv3 and should be treated as an interim configuration state.
  5. Watch for broad SNMP walking — Add alerts for new SNMP source IPs, unusually wide MIB walks, and SNMP from user/workstation subnets. Detection will not fix the condition, but it is cheap compensating visibility while you clean up long-tail infrastructure.
What doesn't work
  • Renaming the community string without ACLs or SNMPv3 is not a strong security control; SNMPv1/v2c still uses weak shared-secret semantics and cleartext transport.
  • Endpoint EDR does little for routers, printers, UPSes, and appliances where this finding commonly lives; the right controls are segmentation and device configuration.
  • Relying on 'read-only means safe' is weak reasoning; the issue still leaks topology and system metadata that helps attackers chain into more serious paths.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or scanner host that has network reachability to the target's UDP/161. Invoke it as ./check_snmp_public.sh 10.20.30.40; it needs snmpget from Net-SNMP and optionally nmap for a better PATCHED vs UNKNOWN decision, but no elevated privileges are required unless your host restricts raw/UDP scanning.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_snmp_public.sh
# Validate whether a target answers SNMP with the default community string 'public'.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=VULNERABLE, 1=PATCHED, 2=UNKNOWN, 3=usage/dependency error

set -u

TARGET="${1:-}"
TIMEOUT_SECS="2"
OID="1.3.6.1.2.1.1.1.0"  # sysDescr.0

if [[ -z "$TARGET" ]]; then
  echo "Usage: $0 <ip-or-hostname>"
  exit 3
fi

if ! command -v snmpget >/dev/null 2>&1; then
  echo "UNKNOWN - missing dependency: snmpget (Net-SNMP)"
  exit 3
fi

snmp_query() {
  local ver="$1"
  snmpget -v "$ver" -c public -t "$TIMEOUT_SECS" -r 0 -Oqv "$TARGET" "$OID" 2>/dev/null
}

RESP_V2C="$(snmp_query 2c || true)"
if [[ -n "$RESP_V2C" ]]; then
  echo "VULNERABLE - target responded to SNMPv2c community 'public': $RESP_V2C"
  exit 0
fi

RESP_V1="$(snmp_query 1 || true)"
if [[ -n "$RESP_V1" ]]; then
  echo "VULNERABLE - target responded to SNMPv1 community 'public': $RESP_V1"
  exit 0
fi

# If nmap is present, use it to distinguish closed/unreachable from non-public SNMP.
if command -v nmap >/dev/null 2>&1; then
  NMAP_OUT="$(nmap -Pn -sU -p 161 --host-timeout 15s --max-retries 1 "$TARGET" 2>/dev/null || true)"
  if echo "$NMAP_OUT" | grep -Eq '161/udp\s+open'; then
    echo "PATCHED - UDP/161 appears open, but community 'public' did not return data"
    exit 1
  fi
  if echo "$NMAP_OUT" | grep -Eq '161/udp\s+(closed|filtered|open\|filtered)'; then
    echo "UNKNOWN - no response to 'public' and SNMP reachability is inconclusive or blocked"
    exit 2
  fi
fi

echo "UNKNOWN - no response to community 'public'; target may be patched, SNMPv3-only, ACL-restricted, filtered, or offline"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a configuration-hardening cleanup item, not a fleet-emergency patch event. Because the reassessed severity is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use that time to inventory all plugin 41028 hits, immediately separate internet-facing and management-plane devices from low-risk internal-only gear, then disable unused SNMP, restrict UDP/161 to approved pollers, and migrate critical infrastructure to SNMPv3. Under the noisgate remediation SLA, finish the actual configuration remediation within 365 days, but do the internet-exposed edge/network devices first rather than burning cycles on every internal printer equally.

Sources

  1. Tenable Nessus Plugin 41028
  2. Tenable CVE page for CVE-1999-0517
  3. NVD CVE-1999-0517
  4. CISA Known Exploited Vulnerabilities Catalog
  5. Shodan public port exposure summary for UDP/161
  6. RFC 1157 - Simple Network Management Protocol
  7. Cisco SNMPv2c documentation
  8. Trail of Bits onesixtyone SNMP scanner
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.