CVE-2007-6016

Symantec Backup Exec for Windows Server <12.0.1364 - Buffer Overflow

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2007-6016. PoCs published by Metasploit, Elazar, including Metasploit module exploits/windows/browser/symantec_backupexec_pvcalendar.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in Symantec BackupExec Calendar Control via an overly long string to the '_DOWText0' property. It delivers a payload through a malicious HTML page with embedded JavaScript to achieve remote code execution.

Description

Multiple stack-based buffer overflows in the PVATLCalendar.PVCalendar.1 ActiveX control in pvcalendar.ocx in the scheduler component in the Media Server in Symantec Backup Exec for Windows Server (BEWS) 11d 11.0.6235 and 11.0.7170, and 12.0 12.0.1364, allow remote attackers to execute arbitrary code via a long (1) _DOWText0, (2) _DOWText1, (3) _DOWText2, (4) _DOWText3, (5) _DOWText4, (6) _DOWText5, (7) _DOWText6, (8) _MonthText0, (9) _MonthText1, (10) _MonthText2, (11) _MonthText3, (12) _MonthText4, (13) _MonthText5, (14) _MonthText6, (15) _MonthText7, (16) _MonthText8, (17) _MonthText9, (18) _MonthText10, or (19) _MonthText11 property value when executing the Save method. NOTE: the vendor states "Authenticated user involvement required," but authentication is not needed to attack a client machine that loads this control.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16582

View Code ZIP pw:eip

This is a Metasploit module exploiting a stack buffer overflow in Symantec BackupExec Calendar Control via an overly long string to the '_DOWText0' property. It delivers a payload through a malicious HTML page with embedded JavaScript to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Symantec BackupExec Calendar Control (pvcalendar.ocx)

No auth needed

Prerequisites: Target must have Symantec BackupExec Calendar Control installed · Target must visit a malicious webpage or be redirected to it

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Elazar · htmlremotewindows

https://www.exploit-db.com/exploits/5205

View Code ZIP pw:eip

This is a buffer overflow exploit targeting Symantec BackupExec Calendar Control (PVCalendar.ocx) via a maliciously crafted HTML file. It leverages heap spraying and shellcode execution to achieve remote code execution (RCE) on vulnerable systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Symantec BackupExec Calendar Control (PVCalendar.ocx) version 10.0.0.17

No auth needed

Prerequisites: Vulnerable version of PVCalendar.ocx installed · Victim must open the malicious HTML file in Internet Explorer

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in Symantec BackupExec Calendar Control (pvcalendar.ocx) via an overly long string sent to the '_DOWText0' property, allowing arbitrary code execution. It uses JavaScript to trigger the vulnerability and deliver a payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Symantec BackupExec Calendar Control (pvcalendar.ocx)

No auth needed

Prerequisites: Target must have Symantec BackupExec Calendar Control installed · Target must visit a malicious webpage or open a malicious HTML file

MITRE ATT&CK