CVE-2006-2447

SpamAssassin - Remote Code Execution via Crafted Message with Virtual Pop Username

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2006-2447. PoCs published by Metasploit, patrick, aushack, including Metasploit module exploits/unix/misc/spamassassin_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2006-2447 in SpamAssassin's spamd service by injecting a malicious command into the User header when vpopmail and paranoid modes are enabled. It sends a crafted PROCESS SPAMC/1.2 request to execute arbitrary commands via the payload.

Description

SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16920

This Metasploit module exploits CVE-2006-2447 in SpamAssassin's spamd service by injecting a malicious command into the User header when vpopmail and paranoid modes are enabled. It sends a crafted PROCESS SPAMC/1.2 request to execute arbitrary commands via the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: SpamAssassin spamd < 3.1.3
No auth needed
Prerequisites: vpopmail and paranoid modes enabled in spamd · network access to port 783
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by patrick · rubyremoteunix
https://www.exploit-db.com/exploits/9914

This exploit targets a command injection vulnerability in SpamAssassin's spamd service (CVE-2006-2447) by injecting a malicious command into the 'User' header when vpopmail and paranoid modes are enabled. It sends a crafted SPAMC request to execute arbitrary commands via the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: SpamAssassin spamd < 3.1.3
No auth needed
Prerequisites: SpamAssassin spamd with vpopmail and paranoid modes enabled · Network access to port 783
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by aushack · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/misc/spamassassin_exec.rb

This Metasploit module exploits a command injection vulnerability in SpamAssassin's spamd service by injecting a malicious command into the 'User' header when vpopmail and paranoid modes are enabled. The exploit sends a crafted SPAMC request to trigger remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: SpamAssassin spamd < 3.1.3
No auth needed
Prerequisites: SpamAssassin spamd running with vpopmail and paranoid modes enabled · Network access to port 783
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (19)

Core 19
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20482
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200606-09.xml
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18290
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:103
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/436288/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9184
Vendor Advisory vendor-advisory x_refsource_trustix
http://www.trustix.org/errata/2006/0034/
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20692
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20566
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20430
Patch, Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2006-0543.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2148
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20531
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016230
Patch, Vendor Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1090
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27008
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20443
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016235

Scores

EPSS 0.7431
EPSS Percentile 99.4%

Details

Status published
Products (3)
apache/spamassassin 3.1.0
apache/spamassassin 3.1.1
apache/spamassassin 3.1.2
Published Jun 06, 2006
Tracked Since Feb 18, 2026