CVE-2005-4267

Qualcomm WorldMail 3.0 - Remote Code Execution via Long IMAP Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2005-4267. PoCs published by Metasploit, MC, jduck, including Metasploit module exploits/windows/imap/eudora_list.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Qualcomm WorldMail 3.0 IMAP Server (builds 6.1.19.0 to 6.1.22.0) via a malformed LIST command. It leverages SEH overwrites and a custom jump payload to achieve remote code execution.

Description

Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a "}" character, as demonstrated using long (1) LIST, (2) LSUB, (3) SEARCH TEXT, (4) STATUS INBOX, (5) AUTHENTICATE, (6) FETCH, (7) SELECT, and (8) COPY commands.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16474

This exploit targets a stack buffer overflow in Qualcomm WorldMail 3.0 IMAP Server (builds 6.1.19.0 to 6.1.22.0) via a malformed LIST command. It leverages SEH overwrites and a custom jump payload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Qualcomm WorldMail 3.0 IMAP Server (6.1.19.0 - 6.1.22.0)
No auth needed
Prerequisites: Network access to the IMAP service · Target running vulnerable WorldMail version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
pythonremotewindows
https://www.exploit-db.com/exploits/1380

This exploit targets a pre-authentication buffer overflow in Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 via the LIST command. It uses a two-stage shellcode approach to bypass space constraints, ultimately spawning a bind shell on port 4444.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0
No auth needed
Prerequisites: Network access to the target IMAP service · Target running vulnerable version of Eudora Qualcomm WorldMail
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
by MC, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/imap/eudora_list.rb

This exploit targets a stack buffer overflow in Qualcomm WorldMail 3.0 IMAP Server (builds 6.1.19.0 to 6.1.22.0) via a malformed LIST command. It leverages SEH overwrites and a custom jump payload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Qualcomm WorldMail 3.0 IMAP Server (6.1.19.0 - 6.1.22.0)
No auth needed
Prerequisites: Network access to the IMAP service · Target running vulnerable WorldMail version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015391
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/3005
Exploit, Vendor Advisory mailing-list x_refsource_fulldisc
http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15980
Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/277
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17640

Scores

EPSS 0.6680
EPSS Percentile 99.2%

Details

CWE
CWE-119
Status published
Products (1)
qualcomm/worldmail 3.0
Published Dec 21, 2005
Tracked Since Feb 18, 2026