CVE-2009-3853

IBM Tivoli Storage Manager 5.3-5.3.6.6, 5.4-5.4.2, 5.5-5.5.2.1, 6.1-6.1.0.1 - Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-3853. PoCs published by Metasploit, jduck, including Metasploit module exploits/windows/misc/ibm_tsm_cad_ping.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in IBM Tivoli Storage Manager Express CAD Service via a malformed 'ping' packet. It leverages SEH overwrite for arbitrary code execution, requiring the service to be in a specific state (CadWaitingStatus = 1).

Description

Stack-based buffer overflow in the client acceptor daemon (CAD) scheduler in the client in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.7, 5.4 before 5.4.3, 5.5 before 5.5.2.2, and 6.1 before 6.1.0.2, and TSM Express 5.3.3.0 through 5.3.6.6, allows remote attackers to execute arbitrary code via crafted data in a TCP packet.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16421

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in IBM Tivoli Storage Manager Express CAD Service via a malformed 'ping' packet. It leverages SEH overwrite for arbitrary code execution, requiring the service to be in a specific state (CadWaitingStatus = 1).

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM Tivoli Storage Manager Express 5.3.6.2

No auth needed

Prerequisites: TSM Express CAD Service in CadWaitingStatus = 1 state · Network access to port 1582

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by jduck · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb