Website URL:

Version: 5.6 Build 04

Description: Z-Cron is a task scheduling software that enables Administrators and Users to schedule tasks on a system. Exploit Details: Z-Cron tasks are shared globally throughout the system, enabling any user to open the software, modify a task (which is classified as Insecure Access Control), and have it executed. If the executable is stored in a publicly accessible location, all logged in users will have the task executed.

Video Demonstrating the Exploit:

Steps To Reproduce




15fc5b1f42db544fe0490046e765d20b.png Above is a screenshot of the task being executed as well as the log files.

Now we’re going to begin the exploitation portion – An unprivileged user can modify the privileged users task





This should be a lesson about access control and how powerful it is when any user can modify something that a privileged user has created.


Thank you to @OptionalCTF ( for editing the video demonstrating the exploit and @OrielOrielOriel ( for confirming my sanity throughout this long-long-long night.