CVE-2014-4936

Malwarebytes Anti-Malware <2.0.3 & MBAE <1.04.1.1012 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-4936. PoCs published by Metasploit, 0x3a, Yonathan Klijnsma, Gabor Seljan, todb, including Metasploit module exploits/windows/browser/malwarebytes_update_exec.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in Malwarebytes Anti-Malware and Anti-Exploit by spoofing the update server to deliver a malicious executable. It intercepts version check requests and serves a fake update containing the payload.

Description

The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/41701

This Metasploit module exploits a vulnerability in Malwarebytes Anti-Malware and Anti-Exploit by spoofing the update server to deliver a malicious executable. It intercepts version check requests and serves a fake update containing the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Malwarebytes Anti-Malware < 2.0.3, Malwarebytes Anti-Exploit < 1.04.1.1012
No auth needed
Prerequisites: Man-in-the-middle position to intercept update requests · Victim must initiate an update check
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 7 stars
by 0x3a · poc
https://github.com/0x3a/CVE-2014-4936

This PoC simulates a Malwarebytes CDN to exploit CVE-2014-4936, allowing arbitrary code execution by serving a malicious payload during the update process. It intercepts update requests and forces the client to download and execute a payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Malwarebytes Anti-Malware (consumer version 2.0.2 and earlier), Malwarebytes Anti-Exploit (consumer version 1.03 and earlier)
No auth needed
Prerequisites: DNS redirection to the attacker's server · Payload named 'payload.exe' in the same directory as the script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Yonathan Klijnsma, Gabor Seljan, todb · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/malwarebytes_update_exec.rb

This Metasploit module exploits a vulnerability in Malwarebytes Anti-Malware and Anti-Exploit by spoofing the update server to deliver a malicious executable. It leverages the lack of proper update package validation to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Malwarebytes Anti-Malware (before 2.0.3) and Malwarebytes Anti-Exploit (1.03.1.1220)
No auth needed
Prerequisites: Man-in-the-middle position to spoof the update server · Victim must initiate an update check
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.1678
EPSS Percentile 96.6%

Details

CWE
CWE-345
Status published
Products (2)
malwarebytes/malwarebytes_anti-exploit < 1.04.1.1012
malwarebytes/malwarebytes_anti-malware < 2.02
Published Dec 16, 2014
Tracked Since Feb 18, 2026