CVE-2016-4071

CRITICAL

PHP < 5.5.34, 5.6.x < 5.6.20, 7.x < 7.0.5 - Remote Code Execution via SNMP::get Format String Specifiers

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4071. PoCs published by Andrew Kramer.

AI-analyzed exploit summary This exploit leverages a format string vulnerability in PHP's SNMP extension (CVE-2016-4071) to achieve remote code execution by manipulating memory via the '%Z' zval format specifier, bypassing ASLR/NX with a carefully crafted ROP chain.

Description

Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.

Exploits (1)

exploitdb WORKING POC

by Andrew Kramer · phpremotemultiple

https://www.exploit-db.com/exploits/39645

View Code ZIP pw:eip

This exploit leverages a format string vulnerability in PHP's SNMP extension (CVE-2016-4071) to achieve remote code execution by manipulating memory via the '%Z' zval format specifier, bypassing ASLR/NX with a carefully crafted ROP chain.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: PHP <= 7.0.4/5.5.33

No auth needed

Prerequisites: PHP with SNMP extension enabled · 32-bit environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (20)

Core 20

Core References

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2952-1

Various Sources x_refsource_confirm

https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8

Vendor Advisory x_refsource_confirm

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149

Vendor Advisory x_refsource_confirm

http://www.php.net/ChangeLog-7.php

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201611-22

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT206567

Exploit x_refsource_confirm

https://bugs.php.net/bug.php?id=71704

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-2750.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3560

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2952-2

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2016/May/msg00004.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39645/

Vendor Advisory x_refsource_confirm

http://www.php.net/ChangeLog-5.php

Vendor Advisory x_refsource_confirm

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

Vendor Advisory x_refsource_confirm

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/85800

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/04/24/1

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html

Scores

CVSS v3 9.8

EPSS 0.3258

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (30)

apple/mac_os_x < 10.11.4

php/php 5.6.0 alpha1 (9 CPE variants)

php/php 5.6.1

php/php 5.6.2

php/php 5.6.3

php/php 5.6.4

php/php 5.6.5

php/php 5.6.6

php/php 5.6.7

php/php 5.6.8

... and 20 more

Published May 20, 2016

Tracked Since Feb 18, 2026