CVE-2005-4145

Lyris ListManager <8.9b - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2005-4145. PoCs published by Metasploit, hdm, including Metasploit module exploits/windows/mssql/lyris_listmanager_weak_pass.

AI-analyzed exploit summary This exploit targets a weak password vulnerability in Lyris ListManager's MSDE installation, where the 'sa' account password is either 'lminstall' or 'lyris' followed by a process ID. It brute-forces possible passwords and, upon successful authentication, uploads and executes a payload.

Description

The MSDE version of Lyris ListManager 5.0 through 8.9b configures the sa account in the database to use a password with a small search space ("lyris" and up to 5 digits, possibly from the process ID), which allows remote attackers to gain access via a brute force attack.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16397

This exploit targets a weak password vulnerability in Lyris ListManager's MSDE installation, where the 'sa' account password is either 'lminstall' or 'lyris' followed by a process ID. It brute-forces possible passwords and, upon successful authentication, uploads and executes a payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Lyris ListManager with MSDE
No auth needed
Prerequisites: Network access to the target MSDE instance · MSDE service running with default or weak 'sa' password
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb

This Metasploit module exploits a weak password vulnerability in Lyris ListManager's MSDE installation, where the 'sa' account password is either 'lminstall' or 'lyris' followed by a process ID. It brute-forces all possible process IDs to gain authentication and then uploads and executes a payload.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Lyris ListManager with MSDE
No auth needed
Prerequisites: Network access to the target MSDE instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/419077/100/0/threaded
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2820
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0349.html
Patch vdb-entry x_refsource_osvdb
http://www.osvdb.org/21559
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17943

Scores

EPSS 0.4392
EPSS Percentile 98.6%

Details

Status published
Products (5)
lyris_technologies_inc/listmanager 5.0
lyris_technologies_inc/listmanager 6.0
lyris_technologies_inc/listmanager 7.0
lyris_technologies_inc/listmanager 8.0
lyris_technologies_inc/listmanager 8.8a
Published Dec 10, 2005
Tracked Since Feb 18, 2026