CVE-2016-3715

MEDIUM KEV

ImageMagick <6.9.3-10, <7.0.1-1 - Remote Code Execution

Title source: manual

Exploitation Summary

CVE-2016-3715 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 1 public exploit from researchers including Nikolay Ermishkin.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in ImageMagick, including remote code execution (RCE) via command injection in delegate commands, SSRF, file deletion, file moving, and local file read. The PoC leverages insufficient filtering in the 'delegate' feature and pseudo-protocols like 'ephemeral' and 'msl'.

Description

The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.

Exploits (1)

exploitdb WORKING POC

by Nikolay Ermishkin · textdosmultiple

https://www.exploit-db.com/exploits/39767

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in ImageMagick, including remote code execution (RCE) via command injection in delegate commands, SSRF, file deletion, file moving, and local file read. The PoC leverages insufficient filtering in the 'delegate' feature and pseudo-protocols like 'ephemeral' and 'msl'.

Classification

Working Poc 100%

Attack Type

Rce | Ssrf | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: ImageMagick versions up to 6.9.3-9

No auth needed

Prerequisites: ImageMagick installed with default delegates.xml/policy.xml · wget or curl installed · Ghostscript installed for some PoCs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21

Core References

Broken Link, Patch x_refsource_confirm

http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/538378/100/0/threaded

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39767/

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html

Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/05/03/18

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3746

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201611-21

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_slackware

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3580

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-0726.html

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/89852

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html

Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Exploit, Vendor Advisory x_refsource_confirm

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2990-1

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html

Release Notes x_refsource_confirm

https://www.imagemagick.org/script/changelog.php

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3715

Scores

CVSS v3 5.5

EPSS 0.7521

EPSS Percentile 99.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2016-4736

CWE

CWE-552

Status published

Products (50)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 15.10

canonical/ubuntu_linux 16.04

imagemagick/imagemagick 7.0.0-0

imagemagick/imagemagick 7.0.1-0

imagemagick/imagemagick < 6.9.3-10

opensuse/leap 42.1

opensuse/opensuse 13.2

oracle/linux 6

... and 40 more

Published May 05, 2016

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026