CVE-2021-27928

HIGH LAB

MariaDB <10.2.37, 10.3.28, 10.4.18, 10.5.9 - RCE

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2021-27928. PoCs published by Central InfoSec, Al1ex, shamo0.

AI-analyzed exploit summary This exploit leverages a vulnerability in MariaDB/MySQL's wsrep_provider configuration to execute arbitrary OS commands by loading a malicious shared object file. The PoC generates a reverse shell payload using msfvenom and triggers execution via a MySQL query.

Description

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.

Exploits (5)

exploitdb WORKING POC

by Central InfoSec · textlocallinux

https://www.exploit-db.com/exploits/49765

View Code ZIP pw:eip

This exploit leverages a vulnerability in MariaDB/MySQL's wsrep_provider configuration to execute arbitrary OS commands by loading a malicious shared object file. The PoC generates a reverse shell payload using msfvenom and triggers execution via a MySQL query.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL

Auth required

Prerequisites: Valid MySQL/MariaDB credentials · Ability to transfer files to the target system · Network access to the target MySQL/MariaDB server

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 63 stars

by Al1ex · poc

https://github.com/Al1ex/CVE-2021-27928

View Code ZIP pw:eip

This PoC demonstrates OS command execution in MariaDB/MySQL via the 'wsrep_provider' parameter by loading a malicious shared object file. It requires a reverse shell payload generated with msfvenom and execution via MySQL commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, 10.5 before 10.5.9; Percona Server through 2021-03-03; wsrep patch for MySQL through 2021-03-03

Auth required

Prerequisites: Valid MySQL/MariaDB credentials · Ability to transfer payload to target · Network access to target MySQL/MariaDB server

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by shamo0 · poc

https://github.com/shamo0/CVE-2021-27928-POC

View Code ZIP pw:eip

This PoC demonstrates a remote code execution vulnerability in MariaDB and Percona Server by leveraging an untrusted search path to execute arbitrary OS commands via modified wsrep_provider and wsrep_notify_cmd settings. The exploit involves uploading a malicious shared object file and triggering its execution through database configuration changes.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MariaDB (10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, 10.5 before 10.5.9), Percona Server (through 2021-03-03), wsrep patch (through 2021-03-03) for MySQL

Auth required

Prerequisites: Database SUPER user privileges · Ability to upload files to the target system · Network access to the target database

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

gitlab WORKING POC

by hatimmouline2014 · poc

https://gitlab.com/hatimmouline2014/cve-2021-27928

View Code ZIP pw:eip

This repository provides a Dockerized environment for exploiting CVE-2021-27928, a vulnerability in MariaDB. It sets up a vulnerable MariaDB instance and installs Metasploit for exploitation.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MariaDB 10.5.7

No auth needed

Prerequisites: Docker environment · Internet access to download MariaDB and Metasploit

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WORKING POC

by LalieA · poc

https://github.com/LalieA/CVE-2021-27928

View Code ZIP pw:eip

This repository provides a proof-of-concept exploit for CVE-2021-27928, which allows OS command execution in MariaDB/MySQL via the `wsrep_provider` and `wsrep_notify_cmd` system variables. The exploit uses a reverse shell payload generated with `msfvenom` and leverages Docker for a controlled environment.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, 10.5 before 10.5.9; Percona Server through 2021-03-03; wsrep patch through 2021-03-03 for MySQL

Auth required

Prerequisites: Docker · msfvenom · openssh-client · mariadb · database super privileges

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →