CVE-2013-4885

nmap < 6.40 - Arbitrary File Write via http-domino-enum-passwords.nse Script

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-4885. PoCs published by Piotr Duszynski.

AI-analyzed exploit summary This exploit leverages a vulnerability in Nmap's script engine to write arbitrary files via the 'domino-enum-passwords' script by manipulating the 'idpath' argument. It allows an attacker to write files with the permissions of the user running Nmap, potentially leading to full system compromise.

Description

The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Piotr Duszynski · textremotelinux
https://www.exploit-db.com/exploits/38741

This exploit leverages a vulnerability in Nmap's script engine to write arbitrary files via the 'domino-enum-passwords' script by manipulating the 'idpath' argument. It allows an attacker to write files with the permissions of the user running Nmap, potentially leading to full system compromise.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Nmap 6.25
No auth needed
Prerequisites: Nmap installed · Network access to the target · User execution of the malicious command
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

EPSS 0.0722
EPSS Percentile 93.5%

Details

Status published
Products (16)
nmap/nmap 2.1 beta1
nmap/nmap 2.2 beta2 (3 CPE variants)
nmap/nmap 2.3 beta10 (14 CPE variants)
nmap/nmap 2.05
nmap/nmap 2.06
nmap/nmap 2.07
nmap/nmap 2.08
nmap/nmap 2.09
nmap/nmap 2.10
nmap/nmap 2.11
... and 6 more
Published Oct 26, 2013
Tracked Since Feb 18, 2026