CVE-2011-4642

Splunk 4.2.x - Authenticated Remote Code Execution via mappy.py Python Class Access

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-4642. PoCs published by Gary O'Leary-Steele, Gary O, , # Vulnerability discovery and exploit, including Metasploit module exploits/multi/http/splunk_mappy_exec.

AI-analyzed exploit summary This exploit targets CVE-2011-4644, a vulnerability in Splunk that allows remote authentication bypass and potential remote code execution. The script includes functionality for brute-forcing credentials, interacting with Splunk's web and management interfaces, and leveraging session keys for further exploitation.

Description

mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote authenticated administrators to execute arbitrary code by leveraging the sys module in a request to the search application, as demonstrated by a cross-site request forgery (CSRF) attack, aka SPL-45172.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Gary O'Leary-Steele · pythonremotemultiple
https://www.exploit-db.com/exploits/18245

This exploit targets CVE-2011-4644, a vulnerability in Splunk that allows remote authentication bypass and potential remote code execution. The script includes functionality for brute-forcing credentials, interacting with Splunk's web and management interfaces, and leveraging session keys for further exploitation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Splunk (versions affected by CVE-2011-4644)
No auth needed
Prerequisites: Network access to Splunk's web interface (port 8000) and management port (port 8089) · Splunk instance vulnerable to CVE-2011-4644
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Gary O, , # Vulnerability discovery and exploit · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/splunk_mappy_exec.rb

This Metasploit module exploits a command execution vulnerability in Splunk's 'mappy' search command (CVE-2011-4642) by injecting Python code via base64-encoded payloads. It authenticates as an admin user and executes arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Splunk 4.2 to 4.2.4
Auth required
Prerequisites: Valid admin credentials (default: admin:changeme) · Access to Splunk web interface (port 8000)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Vendor Advisory x_refsource_confirm
http://www.splunk.com/view/SP-CAAAGMM
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026451
Exploit x_refsource_misc
http://www.sec-1.com/blog/?p=233
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47232
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18245/

Scores

EPSS 0.2893
EPSS Percentile 97.9%

Details

CWE
CWE-352
Status published
Products (5)
splunk/splunk 4.2
splunk/splunk 4.2.1
splunk/splunk 4.2.2
splunk/splunk 4.2.3
splunk/splunk 4.2.4
Published Jan 03, 2012
Tracked Since Feb 18, 2026