cbcvebase.
CVE-2016-3714
published 2016-05-05

CVE-2016-3714: The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow…

PriorityP191high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-09-30
Exploited in the wild
EPSS
97.48%
99.9th percentile
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

Affected

24 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiangraphicsmagick< graphicsmagick 1.3.24-1 (bookworm)graphicsmagick 1.3.24-1 (bookworm)
debianimagemagick< graphicsmagick 1.3.24-1 (bookworm)graphicsmagick 1.3.24-1 (bookworm)
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
imagemagickimagemagick<= 6.9.3-9
imagemagickimagemagick
imagemagickimagemagick
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2
imagemagickimagemagick>= 0 < 8:6.7.7.10-6ubuntu3.18:6.7.7.10-6ubuntu3.1
imagemagickimagemagick>= 0 < 8:6.8.9.9-7ubuntu5.18:6.8.9.9-7ubuntu5.1
opensuseleap
opensuseopensuse
susesuse_linux_enterprise_server

Detection & IOCsextracted from sources · hover to see the quote

filenameexploit.mvg
filenamemsf.svg
filenamemsf.mvg
filenamemsf.miff
pathdata/exploits/CVE-2016-3714/
commandconvert 'https://example.com"|ls "-la' out.png
commandfill 'url(https://example.com/image.jpg"|ls "-la)'
  • Detect shell metacharacter injection patterns in image files processed by ImageMagick — specifically pipe/quote sequences embedded in URL-like fields within MVG or SVG files (e.g., `"|<command>"`)
  • Flag image uploads with MVG/SVG content containing `push graphic-context` and `fill 'url(...)'` with embedded shell metacharacters — exploitation does not depend on file extension; a renamed .jpg or .png can carry the payload
  • Monitor invocations of ImageMagick's `identify` utility against untrusted files — it is also vulnerable and can be triggered indirectly via lesspipe.sh (e.g., `less exploit.jpg`)
  • Detect use of dangerous ImageMagick pseudo-protocols in processed image content: `ephemeral:`, `msl:`, `label:@`, and `url(http://` / `url(https://` inside MVG/SVG files
  • The Metasploit module targets SVG, MVG, and MIFF file formats with a default payload of `cmd/unix/reverse_netcat`; monitor for reverse shell connections following ImageMagick processing of uploaded images
  • ·On RHEL 5 (will-not-fix), the workaround is to rename coder shared objects (mvg.so, msl.so, label.so) to *.bak rather than editing policy.xml, since policy.xml-based mitigation may not be available on that platform
  • ·The workaround policy.xml has been updated over time; earlier versions were incomplete — re-check and re-apply even if a prior workaround was already deployed

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv8.4HIGH
vulncheck8.4HIGH
cisa8.4HIGH
vendor_debian8.4HIGH
vendor_redhat8.4HIGH
vendor_ubuntu8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.