Metasploit Exploits
3,315 exploits tracked across all sources.
Samba 3.0.0-3.3.12 - Remote Code Execution via SMB1 Packet Chaining
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
by Jun Mao, jduck
Adobe Flash Player ActionScript Launch Command Execution Vulnerability
Unspecified vulnerability in Adobe Flash Player for Linux 10.0.12.36, and 9.0.151.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file.
by 0a29406d9794e4f9b30b3c5d6702c708
Redis < 3.2.12, 4.x < 4.0.10, 5.x < 5.0 RC2 - Memory Corruption via Lua cmsgpack Library
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.
CVSS 9.8
Redis Lua Sandbox Escape
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
by Reginaldo Silva, jbaines-r7
CVSS 10.0
University of Washington imapd 4.7 - Authenticated Buffer Overflow via LIST Command
Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.
by aushack, jduck
PoPToP PPTP Server - Denial of Service via Invalid Control Packet Length
ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.
PostgreSQL 8.1 - Authenticated Remote Code Execution via Database Link Library
The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.
by midnitesnake, egypt, todb, lucipher
Crestron Airmedia <1.6.0, <2.7.0 - RCE
Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote authenticated administrators to execute arbitrary code via unspecified vectors.
CVSS 7.2
Symantec Messaging Gateway < 9.5.4 - Default SSH Credentials
Symantec Messaging Gateway (SMG) before 10.0 has a default password for an unspecified account, which makes it easier for remote attackers to obtain privileged access via an SSH session.
by Stefan Viehbock, Ben Williams, sinn3r
VyOS restricted-shell Escape and Privilege Escalation
A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.
by Rich Mirch, bcoles
CVSS 9.9
Cisco IMC Supervisor, UCS Director, and UCS Director Express for Big Data - Use of Hard-coded Credentials
A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials. The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system's database.
CVSS 9.8
VMware vSphere Data Protection 5.5.x-6.1.x - Unauthenticated SSH Login via Default Private Key
VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session.
by phroxvs
CVSS 9.8
Erlang OTP Pre-Auth RCE Scanner and Exploit
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
by Horizon3 Attack Team, Matt Keeley, Martin Kristiansen, mekhalleh (RAMELLA Sebastien)
CVSS 10.0
SolarWinds LEM <6.3.1 Hotfix 4 - RCE
In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker can escape from the restricted shell.
by Mehmet Ince <[email protected]>
CVSS 10.0
IBM Data Risk Manager 2.0.1-2.0.6 - Use of Hard-coded Credentials
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.
CVSS 9.8
ExaGrid <4.8 P26 - Privilege Escalation
ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image.
by egypt
CVSS 7.5
VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure
Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.
by h00die, SinSinology, Harsh Jaiswal (@rootxharsh), Rahul Maini (@iamnoooob)
CVSS 9.8
Micro Focus Operation Bridge Reporter < 10.40 - Authorization Bypass via Default Credentials
An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user
CVSS 9.8
Mercurial < 4.1.3 - Authenticated Remote Code Execution via Debugger Repository Name
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
by claudijd
CVSS 8.8
Ceragon FibeAir IP-10 - Privilege Escalation
Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.
by hdm, todb
CVSS 9.8
F5 BIG-IP Multiple Versions - Unauthenticated SSH Login via Shared Private Key
F5 BIG-IP appliances 9.x before 9.4.8-HF5, 10.x before 10.2.4, 11.0.x before 11.0.0-HF2, and 11.1.x before 11.1.0-HF3, and Enterprise Manager before 2.1.0-HF2, 2.2.x before 2.2.0-HF1, and 2.3.x before 2.3.0-HF3, use a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins via the PubkeyAuthentication option.
by egypt
AlienVault OSSIM < 4.7.0 - Remote Code Execution via av-centerd SOAP Service
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.
by Unknown, juan vazquez
Snort - Stack-based Buffer Overflow via Back Orifice Preprocessor
Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP packet.
ProFTPD - Stack-Based Buffer Overflow via TELNET IAC Escape Character
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
by jduck
ProFTPD < 1.3.0 - Stack-based Buffer Overflow in sreplace Function
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
By Source