CVE-2016-4971

HIGH

GNU wget < 1.18 - Arbitrary File Write via HTTP-to-FTP Redirect

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2016-4971. PoCs published by Dawid Golunski, liewehacksie, mbadanoiu.

AI-analyzed exploit summary This exploit demonstrates how GNU Wget before 1.18 can be tricked into saving arbitrary files via a crafted HTTP 30X redirect to an FTP server, potentially leading to remote code execution or privilege escalation if wget is run from a sensitive directory or via a cronjob.

Description

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Dawid Golunski · textremotelinux
https://www.exploit-db.com/exploits/40064

This exploit demonstrates how GNU Wget before 1.18 can be tricked into saving arbitrary files via a crafted HTTP 30X redirect to an FTP server, potentially leading to remote code execution or privilege escalation if wget is run from a sensitive directory or via a cronjob.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GNU Wget < 1.18
No auth needed
Prerequisites: Attacker-controlled server to serve malicious HTTP 30X redirect · Victim must run wget on a vulnerable version without protective flags
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by liewehacksie · pythonremotelinux
https://www.exploit-db.com/exploits/49815

This exploit leverages a vulnerability in GNU Wget < 1.18 (CVE-2016-4971) to achieve arbitrary file upload and remote code execution. It sets up an HTTP server that redirects Wget requests to an FTP server, exploiting the FTP redirect vulnerability to upload a file (e.g., .bash_profile) to the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GNU Wget < 1.18
No auth needed
Prerequisites: Attacker-controlled HTTP server · Attacker-controlled FTP server · Target system with vulnerable Wget version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2016-4971

This repository contains a functional exploit for CVE-2016-4971, which leverages a vulnerability in Wget versions 1.18 and 1.14-13.el7 to achieve arbitrary file upload via FTP redirection. The exploit uses a Python-based HTTP server to serve a malicious .wgetrc file and a cronjob payload, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wget 1.18, Wget 1.14-13.el7
No auth needed
Prerequisites: Network access to the target · FTP server running on the attacker's machine
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by junquera · poc
https://gitlab.com/junquera/cve-2016-4971

This repository contains a functional exploit for CVE-2016-4971, targeting Wget versions before 1.18. The exploit leverages a vulnerability in Wget's handling of FTP-to-HTTP redirects to write arbitrary files, specifically used here to inject SSH keys for unauthorized access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wget < 1.18
No auth needed
Prerequisites: Network access to the target · Ability to host an FTP and HTTP server
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by gitcollect · poc
https://github.com/gitcollect/CVE-2016-4971

This repository contains a functional exploit for CVE-2016-4971, which abuses wget's handling of HTTP-to-FTP redirects to write arbitrary files. The PoC sets up an HTTP server that redirects vulnerable wget clients to an FTP server, which then serves a malicious .bash_profile file.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: GNU Wget versions < 1.18
No auth needed
Prerequisites: Network access to the target · Target must use wget < 1.18
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (13)

Core 13
Core References
Mailing List, Patch, Vendor Advisory mailing-list x_refsource_mlist
http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201610-11
Broken Link vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-08/msg00043.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40064/
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1343666
Broken Link vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2587.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036133
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3012-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91530
Third Party Advisory x_refsource_confirm
https://security.paloaltonetworks.com/CVE-2016-4971

Scores

CVSS v3 8.8
EPSS 0.7379
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (8)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.10
canonical/ubuntu_linux 16.04
gnu/wget < 1.18
oracle/solaris 10
oracle/solaris 11.3
paloaltonetworks/pan-os 6.1.0 - 6.1.16
Published Jun 30, 2016
Tracked Since Feb 18, 2026