CVE-2006-2502

Exploitation Summary

EIP tracks 4 public exploits for CVE-2006-2502. PoCs published by Metasploit, K-sPecial, kingcope, including Metasploit module exploits/linux/pop3/cyrus_pop3d_popsubfolders.

AI-analyzed exploit summary This exploit targets a stack-based buffer overflow in Cyrus IMAPD's pop3d service (CVE-2006-2502), leveraging a write-anywhere condition to overwrite the GOT and execute shellcode. It bypasses VA randomization by overwriting a pointer used in a memcpy operation.

Description

Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/16836

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in Cyrus IMAPD's pop3d service (CVE-2006-2502), leveraging a write-anywhere condition to overwrite the GOT and execute shellcode. It bypasses VA randomization by overwriting a pointer used in a memcpy operation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cyrus IMAPD pop3d (non-default popsubfolders setting)

No auth needed

Prerequisites: Cyrus IMAPD with popsubfolders enabled · Network access to port 110 (POP3)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by K-sPecial · perlremotelinux

https://www.exploit-db.com/exploits/2185

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Cyrus POP3d (CVE-2006-2502) by sending a maliciously crafted USER command with shellcode and a controlled offset to overwrite EIP. It binds a shell to port 13370 upon successful exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cyrus POP3d (versions affected by CVE-2006-2502)

No auth needed

Prerequisites: Network access to the target POP3 service · Knowledge of the target's memory layout (offset)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by kingcope · cremotelinux

https://www.exploit-db.com/exploits/1813

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Cyrus IMAPD's POP3 service (CVE-2006-2502) when popsubfolders is enabled. It sends a crafted USER command with NOP sleds and shellcode to achieve remote code execution, binding a shell to port 13370.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cyrus IMAPD 2.3.2 (POP3 service)

No auth needed

Prerequisites: POP3 service with popsubfolders enabled · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by bannedit, jduck · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in Cyrus IMAPD's pop3d service via the non-default 'popsubfolders' option. It leverages a write-anywhere condition to overwrite the GOT and execute shellcode, bypassing stack protections like VA randomization.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Cyrus IMAPD pop3d (versions with CVE-2006-2502)

No auth needed

Prerequisites: Non-default 'popsubfolders' option enabled · Target running vulnerable Cyrus IMAPD version

MITRE ATT&CK