CVE-2020-8794

CRITICAL

OpenSMTPD OOB Read Local Privilege Escalation

Title source: metasploit

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-8794. PoCs published by Metasploit, Qualys Corporation, Qualys, wvu, including Metasploit module exploits/unix/local/opensmtpd_oob_read_lpe.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-8794, an out-of-bounds read vulnerability in OpenSMTPD, to achieve local privilege escalation. It leverages a malformed SMTP message to execute arbitrary commands as root or nobody, depending on the OpenSMTPD grammar version.

Description

OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/48185

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-8794, an out-of-bounds read vulnerability in OpenSMTPD, to achieve local privilege escalation. It leverages a malformed SMTP message to execute arbitrary commands as root or nobody, depending on the OpenSMTPD grammar version.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: OpenSMTPD < 6.6.4

No auth needed

Prerequisites: Local access to a vulnerable OpenSMTPD instance · OpenSMTPD service running

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Qualys Corporation · cremoteopenbsd

https://www.exploit-db.com/exploits/48140

View Code ZIP pw:eip

This exploit demonstrates a local privilege escalation (LPE) and remote code execution (RCE) vulnerability in OpenSMTPD's default installation. It leverages a flaw in the SMTP server's grammar parsing to inject arbitrary commands, allowing an attacker to execute code as the root user.

Classification

Working Poc 100%

Attack Type

Rce | Lpe

Complexity

Moderate

Reliability

Reliable

Target: OpenSMTPD (versions with CVE-2020-8794)

No auth needed

Prerequisites: Network access to the SMTP service (port 25) · OpenSMTPD running with vulnerable configuration

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Qualys, wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-8794, an out-of-bounds read vulnerability in OpenSMTPD, to achieve local privilege escalation by sending a malformed SMTP message to execute arbitrary commands as root or nobody, depending on the grammar version.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: OpenSMTPD < 6.6.4

No auth needed

Prerequisites: Local access to the target system · OpenSMTPD service running · Network connectivity to the Metasploit handler

MITRE ATT&CK