CVE-2007-4474

IBM Lotus Domino Web Access 6.x-7.x - Remote Code Execution via Long General_ServerName Property

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2007-4474. PoCs published by Metasploit, Elazar, including Metasploit module exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in IBM Lotus Domino Web Access Upload Module (dwa7w.dll and inotes6w.dll) via an overly long string to the 'General_ServerName()' property. It delivers a payload through a malicious HTML page with embedded JavaScript to achieve remote code execution.

Description

Multiple stack-based buffer overflows in the IBM Lotus Domino Web Access ActiveX control, as provided by inotes6.dll, inotes6w.dll, dwa7.dll, and dwa7w.dll, in Domino 6.x and 7.x allow remote attackers to execute arbitrary code, as demonstrated by an overflow from a long General_ServerName property value when calling the InstallBrowserHelperDll function in the Upload Module in the dwa7.dwa7.1 control in dwa7w.dll 7.0.34.1.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16502

View Code ZIP pw:eip

This exploit targets a stack buffer overflow in IBM Lotus Domino Web Access Upload Module (dwa7w.dll and inotes6w.dll) via an overly long string to the 'General_ServerName()' property. It delivers a payload through a malicious HTML page with embedded JavaScript to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Lotus Domino Web Access (dwa7w.dll, inotes6w.dll)

No auth needed

Prerequisites: Victim must visit a malicious web page or be redirected to it · Target must have vulnerable IBM Lotus Domino Web Access installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Elazar · htmlremotewindows

https://www.exploit-db.com/exploits/5111

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in IBM Domino Web Access (CVE-2007-4474) by leveraging ActiveX controls (dwa7w.dll and inotes6.dll) to execute shellcode. It includes two payloads: one to launch calc.exe and another to bind a shell on port 4444.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Domino Web Access (dwa7w.dll 7.0.34.1, inotes6.dll 6.0.40.0/6.0.48.0, inotes6w.dll 6.0.48.0)

No auth needed

Prerequisites: Victim must visit the malicious HTML page using Internet Explorer 6 or 7 on Windows XP SP2 · ActiveX controls must be enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Elazar · htmlremotewindows

https://www.exploit-db.com/exploits/4820

View Code ZIP pw:eip

This exploit targets a SEH overwrite vulnerability in IBM Domino Web Access (dwa7w.dll) via a crafted HTML page. It uses a heap spray technique to trigger the vulnerability and execute shellcode, demonstrating RCE by launching calc.exe or binding a shell to port 4444.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Domino Web Access (dwa7w.dll version 7.0.34.1)

No auth needed

Prerequisites: Victim must visit the malicious HTML page using Internet Explorer 6 on Windows XP SP2

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Elazar · htmlremotewindows

https://www.exploit-db.com/exploits/4818

View Code ZIP pw:eip

This exploit targets a SEH overwrite vulnerability in IBM Domino Web Access Upload Module (inotes6.dll) via a crafted HTML file. It uses a buffer overflow to execute shellcode, with two payload options: one to launch calc.exe and another to bind a shell on port 4444.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Domino Web Access Upload Module (inotes6.dll) versions 6.0.40.0 and 6.0.48.0

No auth needed

Prerequisites: Victim must open the malicious HTML file in Internet Explorer 6 on Windows XP SP2

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module (CVE-2007-4474) by sending an overly long string to the 'General_ServerName()' property in dwa7w.dll or inotes6w.dll, leading to arbitrary code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Lotus Domino Web Access (dwa7w.dll, inotes6w.dll)

No auth needed

Prerequisites: Target must be running vulnerable IBM Lotus Domino Web Access · Attacker must deliver the exploit via a malicious web page or server

MITRE ATT&CK