CVE-2011-2165

WatchGuard XCS 9.0-9.1 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-2165.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Watchguard XCS <=10.0, including unauthenticated SQL injection via the 'sid' cookie, command injection via the 'id' parameter in 'mailqueue.spl', and privilege escalation via the 'FixCorruptMail' script. It includes functional PoC code for each vulnerability, including a Python script to generate password hashes for backdoor user creation.

Description

The STARTTLS implementation in WatchGuard XCS 9.0 and 9.1 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/37440

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Watchguard XCS <=10.0, including unauthenticated SQL injection via the 'sid' cookie, command injection via the 'id' parameter in 'mailqueue.spl', and privilege escalation via the 'FixCorruptMail' script. It includes functional PoC code for each vulnerability, including a Python script to generate password hashes for backdoor user creation.

Classification

Working Poc 95%

Attack Type

Sqli | Rce | Lpe

Complexity

Moderate

Reliability

Reliable

Target: Watchguard XCS <=10.0

No auth needed

Prerequisites: Network access to the target · Ability to send HTTP requests to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/67729

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/44753

US Government Resource x_refsource_confirm

http://www.kb.cert.org/vuls/id/MAPG-8D9M75

Various Sources x_refsource_confirm

http://www.watchguard.com/support/release-notes/xcs/9/en-US/EN_ReleaseNotes_XCS_9_1_1/EN_ReleaseNotes_WG_XCS_9_1_TLS_Hotfix.pdf

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/555316

Scores

EPSS 0.0516

EPSS Percentile 91.3%

Details

CWE

CWE-264

Status published

Products (2)

watchguard/xcs 9.0

watchguard/xcs 9.1

Published May 23, 2011

Tracked Since Feb 18, 2026