CVE-2004-2513

Mercury (Pegasus) Mail 4.01 - Remote Code Execution via IMAP SELECT Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2004-2513. PoCs published by Heretic2, JohnH, Reed Arvin.

AI-analyzed exploit summary This exploit targets a pre-authentication EIP overwrite vulnerability in Mercury/32 SMTP Server versions 3.32 to 4.51. It includes shellcode for a bind shell on port 4444 and uses a variety of return addresses for different Windows versions.

Description

Buffer overflow in the IMAP service of Mercury (Pegasus) Mail 4.01 allows remote attackers to execute arbitrary code via a long SELECT command.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Heretic2 · c++remotewindows
https://www.exploit-db.com/exploits/4316

This exploit targets a pre-authentication EIP overwrite vulnerability in Mercury/32 SMTP Server versions 3.32 to 4.51. It includes shellcode for a bind shell on port 4444 and uses a variety of return addresses for different Windows versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mercury/32 SMTP Server v3.32-v4.51
No auth needed
Prerequisites: Network access to the target SMTP server · Target server running a vulnerable version of Mercury/32 SMTP Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by JohnH · cremotewindows
https://www.exploit-db.com/exploits/670

This exploit targets a buffer overflow vulnerability in Mercury32 IMAP server, allowing remote code execution via a crafted IMAP command. It includes shellcode for a bind shell on port 1981 and supports 14 different IMAP commands for exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mercury32 IMAP server
Auth required
Prerequisites: Valid IMAP credentials · Network access to the target IMAP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Reed Arvin · perldoswindows
https://www.exploit-db.com/exploits/1159

This exploit targets a buffer overflow vulnerability in Mercury/32 IMAP4 service by sending an overly long CHECK command. It attempts to crash the service, leading to a denial of service (DoS).

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Mercury/32 v4.01a
Auth required
Prerequisites: Network access to the target IMAP4 service (port 143) · Valid IMAP4 credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by JohnH · cremotewindows
https://www.exploit-db.com/exploits/668

This exploit targets a buffer overflow vulnerability in Mercury32 IMAP server. It sends a crafted SELECT command with a long string of 'A's followed by a return address and shellcode to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mercury32 IMAP server
Auth required
Prerequisites: Valid IMAP credentials · Network access to the target IMAP server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by muts · pythonremotewindows
https://www.exploit-db.com/exploits/663

This is a functional exploit for a stack-based buffer overflow in Mercury Mail 4.01 (Pegasus) IMAP server. It leverages a vulnerable SELECT command to execute arbitrary shellcode (calc.exe) via a crafted buffer with a specific return address.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Mercury Mail 4.01 (Pegasus) IMAP server
Auth required
Prerequisites: Network access to the IMAP server (port 143) · Valid IMAP credentials
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/663
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18295

Scores

EPSS 0.3241
EPSS Percentile 97.0%

Details

Status published
Products (1)
pmail/pegasus 4.01
Published Dec 31, 2004
Tracked Since Feb 18, 2026