CVE-2015-6493

Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 - Authenticated Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6493.

AI-analyzed exploit summary The exploit demonstrates an authenticated arbitrary JSP code execution vulnerability in Mango Automation 2.5.2 and 2.6.0 beta. It leverages improper file upload verification to upload a malicious JSP file, enabling remote command execution.

Description

Cross-site request forgery (CSRF) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Exploits (1)

exploitdb WORKING POC

webappsjsp

https://www.exploit-db.com/exploits/38338

View Code ZIP pw:eip

The exploit demonstrates an authenticated arbitrary JSP code execution vulnerability in Mango Automation 2.5.2 and 2.6.0 beta. It leverages improper file upload verification to upload a malicious JSP file, enabling remote command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Mango Automation 2.5.2 and 2.6.0 beta (build 327)

Auth required

Prerequisites: Authenticated session · Access to the target server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Scores

EPSS 0.0132

EPSS Percentile 67.1%

Details

CWE

CWE-352

Status published

Products (3)

infinite_automation_systems/mango_automation 2.5.0

infinite_automation_systems/mango_automation 2.5.5

infinite_automation_systems/mango_automation 2.6.0

Published Oct 28, 2015

Tracked Since Feb 18, 2026