CVE-2003-0722

Solaris - Unauthenticated Remote Privilege Escalation via sadmind AUTH_SYS Spoofing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2003-0722. PoCs published by Metasploit, H D Moore, including Metasploit module exploits/solaris/sunrpc/sadmind_exec.

AI-analyzed exploit summary This exploit targets a vulnerability in the Solaris sadmind RPC service (CVE-2003-0722) by leveraging weak default security settings to execute arbitrary commands. It uses SunRPC authentication and crafts a malicious request to spawn a shell.

Description

The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/16324

This exploit targets a vulnerability in the Solaris sadmind RPC service (CVE-2003-0722) by leveraging weak default security settings to execute arbitrary commands. It uses SunRPC authentication and crafts a malicious request to spawn a shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris sadmind (versions 2.7, 8, and 9)
No auth needed
Prerequisites: Network access to the target's sadmind service (UDP port 100232) · Solaris system with vulnerable sadmind configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by H D Moore · perlremotesolaris
https://www.exploit-db.com/exploits/101

This exploit targets a vulnerability in Solaris sadmind RPC service (CVE-2003-0722) by forging RPC packets to execute arbitrary commands with root privileges. It leverages weak AUTH_SYS authentication to bypass security checks and execute commands via directory traversal.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris sadmind (versions prior to patch)
No auth needed
Prerequisites: Network access to target's sadmind service (typically port 100232) · Target must have sadmind enabled with default AUTH_SYS security
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/sunrpc/sadmind_exec.rb

This Metasploit module exploits a vulnerability in the Solaris sadmind RPC service (CVE-2003-0722) by sending a maliciously crafted request to execute arbitrary commands via a shell. It leverages weak default security settings in Sun Solstice AdminSuite to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Solaris sadmind (Solaris 2.7, 8, 9)
No auth needed
Prerequisites: Network access to UDP port 100232 · Vulnerable Solaris version with sadmind enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/41870
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/8615
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/9742
Third Party Advisory, US Government Resource third-party-advisory government-resource x_refsource_ciac
http://www.ciac.org/ciac/bulletins/n-148.shtml
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1273
Third Party Advisory mailing-list x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0115.html
Vendor Advisory x_refsource_misc
http://www.idefense.com/advisory/09.16.03.txt
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=106391959014331&w=2

Scores

EPSS 0.8769
EPSS Percentile 99.7%

Details

Status published
Products (1)
sun/solaris
Published Sep 22, 2003
Tracked Since Feb 18, 2026