CVE-2014-1691

Horde Application Framework < 5.1.1 - Remote Code Execution via Serialized Object in _formvars

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-1691. PoCs published by Metasploit, EgiX, juan vazquez, including Metasploit module exploits/unix/webapp/horde_unserialize_exec.

AI-analyzed exploit summary This Metasploit module exploits a PHP unserialize vulnerability in Horde Framework <= 5.1.1, leveraging a destructive method chain to achieve arbitrary code execution via a crafted serialized payload.

Description

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/32439

View Code ZIP pw:eip

This Metasploit module exploits a PHP unserialize vulnerability in Horde Framework <= 5.1.1, leveraging a destructive method chain to achieve arbitrary code execution via a crafted serialized payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Horde Framework <= 5.1.1

No auth needed

Prerequisites: Target running vulnerable Horde Framework · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by EgiX, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/horde_unserialize_exec.rb