CVE-2007-4560

ClamAV < 0.91.2 - Remote Code Execution via Shell Metacharacters in Sendmail Recipient Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2007-4560. PoCs published by Metasploit, eliteboy, patrick, including Metasploit module exploits/unix/smtp/clamav_milter_blackhole.

AI-analyzed exploit summary This Metasploit module exploits CVE-2007-4560 in ClamAV Milter's blackhole mode, allowing remote code execution via an insecure popen call. It injects a payload into the 'From:' header of an SMTP message, which is then executed by the vulnerable service.

Description

clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16924

This Metasploit module exploits CVE-2007-4560 in ClamAV Milter's blackhole mode, allowing remote code execution via an insecure popen call. It injects a payload into the 'From:' header of an SMTP message, which is then executed by the vulnerable service.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ClamAV Milter < 0.92.2
No auth needed
Prerequisites: ClamAV Milter with blackhole mode enabled · Network access to the SMTP service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by eliteboy · perlremotemultiple
https://www.exploit-db.com/exploits/4761

This exploit targets a vulnerability in Sendmail with clamav-milter by injecting commands into the RCPT TO field to modify /etc/inetd.conf and restart the inetd service, resulting in a root shell. The exploit leverages improper input validation in the email address parsing.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sendmail with clamav-milter (versions affected by CVE-2007-4560)
No auth needed
Prerequisites: Network access to the target's SMTP port (25) · Sendmail with clamav-milter installed and vulnerable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by patrick · rubyremotemultiple
https://www.exploit-db.com/exploits/9913

This Metasploit module exploits CVE-2007-4560 in ClamAV's clamav-milter (Sendmail mail filter) by injecting a command into the 'From:' header of an SMTP email, which is then executed due to an insecure popen call in black hole mode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ClamAV clamav-milter < 0.92.2
No auth needed
Prerequisites: ClamAV milter with black hole mode enabled · SMTP server accessible to the attacker
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by Strikoder-Premium · poc
https://github.com/Strikoder-Premium/sendmail-clamav-exploit-CVE-2007-4560

This repository contains a functional Python exploit for CVE-2007-4560, targeting Sendmail with ClamAV-Milter <0.91.2. The exploit leverages command injection via crafted SMTP RCPT TO headers to achieve remote root code execution by modifying /etc/inetd.conf and restarting the inetd service.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sendmail with ClamAV-Milter <0.91.2
No auth needed
Prerequisites: Sendmail with vulnerable ClamAV-Milter version · Network access to SMTP port (25)
devstral-2 · analyzed Jun 12, 2026 Full analysis →
nomisec WORKING POC 4 stars
by STK-Security · poc
https://github.com/STK-Security/sendmail-clamav-exploit-CVE-2007-4560

This repository contains a functional Python exploit for CVE-2007-4560, targeting Sendmail with ClamAV-Milter <0.91.2. The exploit leverages improper input sanitization in SMTP RCPT TO headers to achieve remote command execution with root privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sendmail with ClamAV-Milter <0.91.2
No auth needed
Prerequisites: Network access to the target's SMTP port (25) · ClamAV-Milter version <0.91.2
devstral-2 · analyzed May 31, 2026 Full analysis →
nomisec WORKING POC 3 stars
by strikoder · poc
https://github.com/strikoder/sendmail-clamav-exploit-CVE-2007-4560

This repository contains a functional Python exploit for CVE-2007-4560, targeting Sendmail with ClamAV-Milter <0.91.2. The exploit injects commands via SMTP RCPT TO headers to achieve remote root command execution by modifying /etc/inetd.conf and restarting the inetd service.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sendmail with ClamAV-Milter <0.91.2
No auth needed
Prerequisites: Target running Sendmail with vulnerable ClamAV-Milter version · Network access to SMTP port (25)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by 0x1sac · poc
https://github.com/0x1sac/ClamAV-Milter-Sendmail-0.91.2-Remote-Code-Execution

This repository contains a functional exploit for CVE-2007-4560, targeting ClamAV Milter Sendmail versions prior to 0.91.2. The exploit leverages a command injection vulnerability in the email processing logic by crafting a malicious RCPT TO field to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ClamAV Milter Sendmail < 0.91.2
No auth needed
Prerequisites: Network access to the vulnerable Sendmail service (typically port 25) · Vulnerable version of ClamAV Milter Sendmail (< 0.91.2)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by aushack · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/clamav_milter_blackhole.rb

This Metasploit module exploits a command injection vulnerability in ClamAV Milter's blackhole mode (CVE-2007-4560) by injecting a malicious RCPT TO address and embedding a payload in the 'From:' header, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ClamAV Milter < v0.92.2
No auth needed
Prerequisites: ClamAV Milter with blackhole mode enabled · Network access to the SMTP service
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21
Core References
Vendor Advisory vendor-advisory x_refsource_trustix
http://www.trustix.org/errata/2007/0026/
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25439
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200709-14.xml
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/3063
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26822
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26916
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/477723/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26683
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2007/dsa-1366
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0924/references
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29420
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_18_sr.html
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26751
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018610
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26654
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=307562
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:172
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26674

Scores

EPSS 0.8366
EPSS Percentile 99.7%

Details

CWE
CWE-78
Status published
Products (1)
clam_anti-virus/clamav < 0.91.1
Published Aug 28, 2007
Tracked Since Feb 18, 2026