CVE-2016-1531

HIGH

Exim <4.86.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2016-1531. PoCs published by Metasploit, Dawid Golunski, Hacker Fantastic, including Metasploit module exploits/unix/local/exim_perl_startup.

AI-analyzed exploit summary This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 by leveraging the 'perl_startup' configuration parameter to execute arbitrary commands with root privileges.

Description

Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/39702

This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 by leveraging the 'perl_startup' configuration parameter to execute arbitrary commands with root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Exim < 4.86.2
No auth needed
Prerequisites: Presence of the 'perl_startup' configuration parameter in Exim
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Dawid Golunski · textlocallinux
https://www.exploit-db.com/exploits/39549

This exploit leverages an unsanitized PERL5OPT environment variable in Exim to execute arbitrary Perl code with root privileges via the embedded Perl interpreter. The attack abuses the -ps flag to force early Perl execution before privilege dropping.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Exim < 4.86.2
No auth needed
Prerequisites: Exim compiled with Perl support · perl_startup configuration variable present · Local access to the system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Hacker Fantastic · bashlocallinux
https://www.exploit-db.com/exploits/39535

This exploit leverages a local privilege escalation vulnerability in Exim (CVE-2016-1531) by manipulating the Perl environment to load a malicious module, granting root access. The script creates a Perl module that spawns a shell and executes Exim with the manipulated environment.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Exim <= 4.84-3
No auth needed
Prerequisites: Local access to the target system · Exim binary with vulnerable version present
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by h3x0v3rl0rd · poc
https://github.com/h3x0v3rl0rd/CVE-2016-1531

This repository contains a functional local privilege escalation exploit for CVE-2016-1531, targeting Exim versions <= 4.84-3. The exploit manipulates the Perl environment to load a malicious module, granting root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Exim <= 4.84-3
No auth needed
Prerequisites: Local access to the target system · Exim binary with Perl support
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Dawid Golunski, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/local/exim_perl_startup.rb

This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 by leveraging the 'perl_startup' configuration parameter to execute arbitrary commands with root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Exim < 4.86.2
No auth needed
Prerequisites: Presence of 'perl_startup' configuration parameter in Exim · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39535/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035512
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39702/
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2933-1
Third Party Advisory, US Government Resource x_refsource_confirm
http://www.exim.org/static/doc/CVE-2016-1531.txt
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39549/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3517

Scores

CVSS v3 7.0
EPSS 0.0590
EPSS Percentile 92.3%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (1)
exim/exim < 4.86
Published Apr 07, 2016
Tracked Since Feb 18, 2026