CVE-2001-0236

EXPLOITED

Solaris - Remote Code Execution via SNMP to DMI Mapper Daemon Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2001-0236 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including vlad902, Last Stage of Delirium.

AI-analyzed exploit summary This exploit targets a buffer overflow in Solaris snmpXdmid (CVE-2001-0236) to achieve remote code execution with root privileges. It leverages a heap-based overflow via a maliciously crafted DMI request, bypassing NX protections on SPARC architectures.

Description

Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.

Exploits (2)

exploitdb WORKING POC VERIFIED
by vlad902 · remotesolaris
https://www.exploit-db.com/exploits/20649

This exploit targets a buffer overflow in Solaris snmpXdmid (CVE-2001-0236) to achieve remote code execution with root privileges. It leverages a heap-based overflow via a maliciously crafted DMI request, bypassing NX protections on SPARC architectures.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Solaris snmpXdmid (versions 2.6, 7, 8)
No auth needed
Prerequisites: Network access to target's RPC port (111/tcp) · Target running vulnerable Solaris version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Last Stage of Delirium · cremotesolaris
https://www.exploit-db.com/exploits/20648

This exploit targets a buffer overflow vulnerability in Sun Microsystems' Solaris snmpXdmid service (CVE-2001-0236). It crafts a malicious DMI request to trigger the overflow, executing shellcode to spawn a root shell. The exploit includes SPARC-specific shellcode and a socket-finding stub to locate the socket descriptor for the reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Sun Solaris snmpXdmid (versions 2.6, 7, 8)
No auth needed
Prerequisites: Network access to the target's snmpXdmid service (TCP port 100249) · Target must be running vulnerable Solaris version (2.6, 7, or 8)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/6245
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98462536724454&w=2
Vendor Advisory vendor-advisory x_refsource_sun
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/207
Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/2417
Third Party Advisory, US Government Resource third-party-advisory government-resource x_refsource_ciac
http://www.ciac.org/ciac/bulletins/l-065.shtml
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2001-05.html

Scores

EPSS 0.6973
EPSS Percentile 98.7%

Details

VulnCheck KEV 2017-06-20
Status published
Products (6)
sun/solaris 2.6
sun/solaris 7.0
sun/solaris 8.0
sun/sunos
sun/sunos 5.7
sun/sunos 5.8
Published May 03, 2001
Tracked Since Feb 18, 2026