CVE-2016-3714

HIGH KEV

ImageMagick <6.9.3-10 & <7.0.1-1 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-3714 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 9, 2024. EIP tracks 9 public exploits from researchers including Metasploit, Nikolay Ermishkin, Hood3dRob1n.

AI-analyzed exploit summary This Metasploit module exploits a shell command injection vulnerability in ImageMagick by crafting malicious SVG, MVG, or MIFF files that execute arbitrary commands when processed. The exploit leverages file magic to mislead ImageMagick into executing embedded payloads.

Description

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

Exploits (9)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalmultiple
https://www.exploit-db.com/exploits/39791

This Metasploit module exploits a shell command injection vulnerability in ImageMagick by crafting malicious SVG, MVG, or MIFF files that execute arbitrary commands when processed. The exploit leverages file magic to mislead ImageMagick into executing embedded payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9
No auth needed
Prerequisites: ImageMagick installed on the target system · Ability to upload or process a malicious file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Nikolay Ermishkin · textdosmultiple
https://www.exploit-db.com/exploits/39767

This exploit demonstrates multiple vulnerabilities in ImageMagick, including remote code execution (RCE) via command injection in delegate commands, SSRF, file deletion, file moving, and local file read. The PoC leverages insufficient filtering in the 'delegate' feature and pseudo-protocols like 'ephemeral' and 'msl'.

Classification
Working Poc 100%
Attack Type
Rce | Ssrf | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ImageMagick versions up to 6.9.3-9
No auth needed
Prerequisites: ImageMagick installed with default delegates.xml/policy.xml · wget or curl installed · Ghostscript installed for some PoCs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 69 stars
by Hood3dRob1n · remote
https://github.com/Hood3dRob1n/CVE-2016-3714

This repository contains a functional exploit for CVE-2016-3714, an ImageMagick code execution vulnerability. It includes a payload builder (`imagick_builder.py`) and a PHP-based web shell (`imagick_bypass_shell.php`) designed to bypass disabled functions via the PHP Imagick extension.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ImageMagick (versions affected by CVE-2016-3714)
No auth needed
Prerequisites: Target system with vulnerable ImageMagick installation · Ability to upload malicious image files to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 18 stars
by jpeanut · poc
https://github.com/jpeanut/ImageTragick-CVE-2016-3714-RShell

This repository provides proof-of-concept exploits for CVE-2016-3714 (ImageTragick), leveraging MVG/SVG file formats to execute arbitrary code and establish a reverse shell. The PoC uses tools like bash, netcat, and PHP to demonstrate remote code execution (RCE) via maliciously crafted image files.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ImageMagick (versions prior to 7.0.1-1)
No auth needed
Prerequisites: Access to upload maliciously crafted image files to a vulnerable server · Netcat or similar tool for reverse shell setup
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec NO CODE 1 stars
by JoshMorrison99 · poc
https://github.com/JoshMorrison99/CVE-2016-3714
nomisec WORKING POC 1 stars
by chusiang · poc
https://github.com/chusiang/CVE-2016-3714.ansible.role

This repository contains an Ansible role designed to test and mitigate CVE-2016-3714, an ImageMagick command injection vulnerability. It includes tasks to exploit the vulnerability by creating a malicious image file and attempting to execute arbitrary commands, then verifies if the system is patched by checking for the presence of an injected file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ImageMagick (versions before 6.7.7.10)
No auth needed
Prerequisites: ImageMagick installed on the target system · Ability to execute commands on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by ahhh · client-side
https://gitlab.com/ahhh/CVE-2016-3714

This repository contains a functional exploit for CVE-2016-3714, an ImageMagick code execution vulnerability. It includes a payload builder (`imagick_builder.py`) and a PHP-based web shell (`imagick_bypass_shell.php`) designed to bypass disabled functions via the PHP Imagick extension.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ImageMagick (versions affected by CVE-2016-3714)
No auth needed
Prerequisites: ImageMagick installed on target system · Ability to upload malicious image files
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by tommiionfire · client-side
https://github.com/tommiionfire/CVE-2016-3714

This PoC exploits CVE-2016-3714 (ImageTragick) by crafting a malicious MVG file that executes arbitrary commands via ImageMagick's 'convert' utility. The script demonstrates command injection by creating a file '/tmp/ImageTragick'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ImageMagick (versions before 7.0.1-1 and 6.9.3-10)
No auth needed
Prerequisites: ImageMagick installed on the target system · Ability to pass malicious MVG file to 'convert' utility
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by jackdpeterson · poc
https://github.com/jackdpeterson/imagick_secure_puppet

This repository contains a Puppet module that exploits CVE-2016-3714 by modifying the ImageMagick policy.xml file to bypass security restrictions. The exploit is executed via Puppet apply and is designed to work on Ubuntu 14.04 systems.

Classification
Working Poc 80%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: ImageMagick (via Puppet)
Auth required
Prerequisites: Puppet installed · ImageMagick installed · sudo access
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (31)

Core 31
Core References
Third Party Advisory x_refsource_confirm
https://access.redhat.com/security/vulnerabilities/2296071
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035742
Vendor Advisory x_refsource_misc
https://imagetragick.com/
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/05/03/13
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2990-1
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/538378/100/0/threaded
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39767/
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/05/03/18
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3746
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201611-21
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html
Vendor Advisory x_refsource_confirm
https://www.imagemagick.org/script/changelog.php
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39791/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3580
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/89848
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0726.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1332492
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/250519

Scores

CVSS v3 8.4
EPSS 0.9748
EPSS Percentile 99.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2024-09-09
VulnCheck KEV 2016-05-04
InTheWild.io 2024-09-09
ENISA EUVD EUVD-2016-4735
CWE
CWE-20
Status published
Products (12)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.10
canonical/ubuntu_linux 16.04
debian/debian_linux 8.0
debian/debian_linux 9.0
imagemagick/imagemagick 7.0.0-0
imagemagick/imagemagick 7.0.1-0
imagemagick/imagemagick < 6.9.3-9
opensuse/leap 42.1
... and 2 more
Published May 05, 2016
KEV Added Sep 09, 2024
Tracked Since Feb 18, 2026