CVE-2016-5330

HIGH

VMware Workstation Player 12.1.0-12.1.1 - Untrusted Search Path via HGFS Shared Folders

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-5330. PoCs published by Metasploit, including Metasploit module exploits/windows/misc/vmhgfs_webdav_dll_sideload.

AI-analyzed exploit summary This Metasploit module exploits a DLL side-loading vulnerability in VMware Host Guest Client Redirector (CVE-2016-5330) by serving a malicious DLL via a WebDAV share, which is loaded when a victim opens a crafted DOCX file.

Description

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/41711

This Metasploit module exploits a DLL side-loading vulnerability in VMware Host Guest Client Redirector (CVE-2016-5330) by serving a malicious DLL via a WebDAV share, which is loaded when a victim opens a crafted DOCX file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware Host Guest Client Redirector (VMware Tools)
No auth needed
Prerequisites: Victim must open a crafted DOCX file from the attacker's WebDAV share · WebDAV Mini-Redirector enabled on the victim's system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb

This Metasploit module exploits a DLL side-loading vulnerability in VMware Host Guest Client Redirector (CVE-2016-5330) by serving a malicious DLL via a WebDAV share, which is loaded when a victim opens a crafted document. The exploit leverages the WebDAV Mini-Redirector to achieve remote code execution with the privileges of the target user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware Host Guest Client Redirector (VMware Tools)
No auth needed
Prerequisites: WebDAV Mini-Redirector enabled on the target system · Victim must open a document from the attacker's share
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036544
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036619
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92323
Mitigation, Vendor Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2016-0010.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/539131/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036545

Scores

CVSS v3 7.8
EPSS 0.1802
EPSS Percentile 96.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-426
Status published
Products (5)
vmware/esxi 5.0 - 6.0
vmware/fusion 8.1 - 8.1.1
vmware/tools 9.0.0 - 10.3.22
vmware/workstation_player 12.1.0 - 12.1.1
vmware/workstation_pro 12.1.0 - 12.1.1
Published Aug 08, 2016
Tracked Since Feb 18, 2026