CVE-2016-4010

CRITICAL

Magento < 2.0.6 - Unauthenticated PHP Object Injection via Serialized Shopping Cart Data

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2016-4010. PoCs published by agix, brianwrf, shadofren, including Metasploit module exploits/multi/http/magento_unserialize.

AI-analyzed exploit summary This exploit leverages an unauthenticated arbitrary unserialize vulnerability in Magento (CVE-2016-4010) to achieve arbitrary file write. It constructs a malicious serialized payload to trigger the vulnerability, potentially leading to remote code execution.

Description

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.

Exploits (4)

exploitdb WORKING POC VERIFIED
by agix · phpwebappsphp
https://www.exploit-db.com/exploits/39838

This exploit leverages an unauthenticated arbitrary unserialize vulnerability in Magento (CVE-2016-4010) to achieve arbitrary file write. It constructs a malicious serialized payload to trigger the vulnerability, potentially leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Magento < 2.0.6
No auth needed
Prerequisites: Valid guestCartId obtained by adding an item to the cart and proceeding to checkout
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 6 stars
by brianwrf · poc
https://github.com/brianwrf/Magento-CVE-2016-4010

This is a detailed technical analysis of CVE-2016-4010, a Magento unauthenticated remote code execution vulnerability. It explains the root cause involving SOAP API deserialization flaws and object injection via the 'additional_information' field in the Payment class.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Magento CE&EE < 2.0.6
No auth needed
Prerequisites: Magento with RPCs (REST/SOAP) enabled · Access to vulnerable API endpoints
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by shadofren · poc
https://github.com/shadofren/CVE-2016-4010

This repository contains a functional exploit for CVE-2016-4010, a PHP object injection vulnerability in Magento. The exploit leverages deserialization to achieve remote code execution by crafting a malicious payload that writes a PHP shell to the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Magento (versions affected by CVE-2016-4010)
No auth needed
Prerequisites: Target must be running a vulnerable version of Magento · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Netanel Rubin, agix · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/magento_unserialize.rb

This Metasploit module exploits a PHP object injection vulnerability (CVE-2016-4010) in Magento 2.0.6 or prior, leveraging unserialize to achieve remote code execution via crafted payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Magento 2.0.6 or prior
No auth needed
Prerequisites: Access to a vulnerable Magento instance · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Technical Description, Third Party Advisory x_refsource_misc
http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/
Patch, Vendor Advisory x_refsource_confirm
https://magento.com/security/patches/magento-206-security-update
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39838/

Scores

CVSS v3 9.8
EPSS 0.9319
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-74
Status published
Products (1)
magento/magento < 2.0.5 (2 CPE variants)
Published Jan 23, 2017
Tracked Since Feb 18, 2026