CVE-2010-4335

CakePHP 1.2.8-1.3.5 - Remote Code Execution via Unserialize in Security Component

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2010-4335. PoCs published by Metasploit, felix, tdz, Felix Wilhelm, including Metasploit module exploits/unix/webapp/cakephp_cache_corruption.

AI-analyzed exploit summary This exploit targets a deserialization vulnerability in CakePHP's Security component, allowing unauthenticated attackers to execute arbitrary PHP code via crafted serialized data in POST requests.

Description

The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/16902

This exploit targets a deserialization vulnerability in CakePHP's Security component, allowing unauthenticated attackers to execute arbitrary PHP code via crafted serialized data in POST requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CakePHP <= 1.3.5 / 1.2.8
No auth needed
Prerequisites: Target must be running a vulnerable version of CakePHP · PHP's magic_quotes_gpc must be disabled or bypassable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by felix · textwebappsphp
https://www.exploit-db.com/exploits/16011

This exploit leverages a PHP deserialization vulnerability in CakePHP's Security component to inject arbitrary objects, corrupting the cache and achieving remote code execution by manipulating the file_map to include a malicious PHP payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CakePHP <= 1.3.5 / 1.2.8
No auth needed
Prerequisites: Target application must use POST forms with security tokens · File-system caching must be enabled (default configuration)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by tdz, Felix Wilhelm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/cakephp_cache_corruption.rb

This Metasploit module exploits a PHP deserialization vulnerability in CakePHP's Security component (CVE-2010-4335) to achieve remote code execution. It crafts a malicious serialized payload, encodes it, and sends it via POST requests to trigger arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CakePHP versions 1.3.5 and earlier, 1.2.8 and earlier
No auth needed
Prerequisites: Target must be running a vulnerable version of CakePHP · PHP's magic_quotes_gpc must be disabled or bypassable
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/16011
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/69352
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8026
Exploit x_refsource_misc
http://malloc.im/CakePHP-unserialize.txt
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42211

Scores

EPSS 0.8264
EPSS Percentile 99.3%

Details

CWE
CWE-20
Status published
Products (10)
cakefoundation/cakephp 1.3.0
cakephp/cakephp 1.2.8
cakephp/cakephp 1.3 dev
cakephp/cakephp 1.3.0 alpha (6 CPE variants)
cakephp/cakephp 1.3.1
cakephp/cakephp 1.3.2
cakephp/cakephp 1.3.3
cakephp/cakephp 1.3.4
cakephp/cakephp 1.3.5
cakephp/cakephp 1.2.8 - 1.3.6Packagist
Published Jan 14, 2011
Tracked Since Feb 18, 2026