CVE-2016-4437

CRITICAL KEV NUCLEI

Apache Shiro < 1.2.5 - Remote Code Execution via Remember Me Feature

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-4437 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 8 public exploits from researchers including Metasploit, bkfish, 4nth0ny1130, including a Metasploit module exploits/multi/http/shiro_rememberme_v124_deserialize. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-4437, a deserialization vulnerability in Apache Shiro v1.2.4, by sending a malicious 'rememberMe' cookie containing an AES-encrypted payload. The payload leverages YSoSerial to achieve remote code execution (RCE) on vulnerable systems.

Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48410

This Metasploit module exploits CVE-2016-4437, a deserialization vulnerability in Apache Shiro v1.2.4, by sending a malicious 'rememberMe' cookie containing an AES-encrypted payload. The payload leverages YSoSerial to achieve remote code execution (RCE) on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Shiro v1.2.4
No auth needed
Prerequisites: Vulnerable Apache Shiro v1.2.4 installation · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 55 stars
by bkfish · remote
https://github.com/bkfish/Awesome_shiro

This repository contains functional exploit code for CVE-2016-4437, a deserialization vulnerability in Apache Shiro <=1.2.4. The exploit leverages the 'rememberMe' cookie field to execute arbitrary commands via JRMP deserialization attacks, with support for multiple encryption keys and payload generation using ysoserial.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Shiro <=1.2.4
No auth needed
Prerequisites: Target must have vulnerable Shiro version · ysoserial.jar for payload generation · Network access to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 24 stars
by 4nth0ny1130 · remote
https://github.com/4nth0ny1130/shisoserial

This repository contains a functional exploit tool for CVE-2016-4437, targeting Apache Shiro's deserialization vulnerability. It includes modes for detection, key cracking, and payload execution using ysoserial gadgets.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Shiro (versions affected by CVE-2016-4437)
No auth needed
Prerequisites: Python 3.x · JDK 1.8 · Target with vulnerable Apache Shiro instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by pizza-power · remote
https://github.com/pizza-power/CVE-2016-4437

This repository contains a functional Python exploit for CVE-2016-4437, an Apache Shiro deserialization vulnerability due to a hardcoded encryption key. The exploit uses ysoserial to generate a malicious payload, encrypts it with the known key, and sends it via a 'rememberMe' cookie to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Shiro (versions with hardcoded encryption key)
No auth needed
Prerequisites: ysoserial-all.jar · Python 3 · Crypto library · target URL or list of URLs · interactsh or Burp Collaborator domain for DNS callback detection
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 1 stars
by 35789-gh · poc
https://github.com/35789-gh/cve-2016-4437

The repository contains minimal and incomplete code related to Apache Shiro authentication but lacks any functional exploit or technical details for CVE-2016-4437. Most files are boilerplate or empty.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Shiro
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by xk-mt · remote
https://github.com/xk-mt/CVE-2016-4437

This repository contains functional exploit code for CVE-2016-4437, a deserialization vulnerability in Apache Shiro. It includes tools to decode 'rememberMe' cookies and check for vulnerability presence by sending crafted requests.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Shiro 1.2.4
No auth needed
Prerequisites: Access to a vulnerable Apache Shiro instance · Valid 'rememberMe' cookie or ability to send crafted requests
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by m3terpreter · poc
https://github.com/m3terpreter/CVE-2016-4437

The repository contains only a README.md file with minimal content (just the CVE identifier) and no exploit code or technical details. It is a placeholder with no functional or analytical value.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb

This Metasploit module exploits a deserialization vulnerability in Apache Shiro v1.2.4 via the RememberMe cookie, allowing remote code execution. It uses AES encryption with a known key to craft a malicious serialized payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Shiro v1.2.4
No auth needed
Prerequisites: Known encryption key for Shiro's RememberMe cookie · Target application using vulnerable Shiro version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability
HIGHby iamnoooob,rootxharsh,pdresearch

References (8)

Core 8
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2035.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2036.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91024
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/538570/100/0/threaded
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html

Scores

CVSS v3 9.8
EPSS 0.9425
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2022-4711
CWE
CWE-321
Status published
Products (5)
apache/aurora 0.10.0 - 0.18.1
apache/shiro < 1.2.5
org.apache.shiro/shiro-core 0 - 1.2.5Maven
redhat/fuse 1.0
redhat/jboss_middleware_text-only_advisories 1.0
Published Jun 07, 2016
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026