CVE-2024-27766

MEDIUM

MariaDB 11.1 - Remote Code Execution via lib_mysqludf_sys.so Function

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-27766. PoCs published by Ant1sec-ops, y0un9eee.

AI-analyzed exploit summary This PoC demonstrates a User-Defined Function (UDF) attack in MariaDB 11.1, allowing arbitrary command execution via a malicious shared library loaded into the database. The exploit leverages the `do_system` function to execute system commands, bypassing security controls.

Description

An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.

Exploits (2)

nomisec WORKING POC 3 stars

by Ant1sec-ops · poc

https://github.com/Ant1sec-ops/CVE-2024-27766

View Code ZIP pw:eip

This PoC demonstrates a User-Defined Function (UDF) attack in MariaDB 11.1, allowing arbitrary command execution via a malicious shared library loaded into the database. The exploit leverages the `do_system` function to execute system commands, bypassing security controls.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MariaDB 11.1

Auth required

Prerequisites: Access to MariaDB with sufficient privileges to load UDFs · Ability to compile and load a shared library into the plugin directory

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by y0un9eee · poc

https://github.com/y0un9eee/CVE-2024-27766

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-27766, demonstrating RCE in MariaDB v11.1 via a malicious UDF. The PoC modifies the original exploit to return command output directly in SQL results using a `char *` return type and `_popen` for command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MariaDB v11.1

Auth required

Prerequisites: Windows OS · MariaDB v11.1 (unpatched) · DB user with FILE privilege and plugin directory write access

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/Ant1sec-ops/CVE-2024-27766

Mailing List

https://seclists.org/fulldisclosure/2012/Dec/39

Scores

CVSS v3 5.7

EPSS 0.0119

EPSS Percentile 63.8%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

mariadb/mariadb 11.1.0

Published Oct 17, 2024

Tracked Since Feb 18, 2026