Apache Shiro rememberMe Deserialization RCE
CVE-2016-4437 affects Apache Shiro before 1.2.5. When the rememberMe feature is enabled and no custom cipher key has been configured, Shiro uses a known/default AES key in CookieRememberMeManager. The rememberMe cookie value is serialized, AES-encrypted, and Base64-encoded; because the key is known, an unauthenticated remote attacker can craft a malicious serialized Java object, encrypt it with the default key, and supply it via the rememberMe cookie to trigger unsafe deserialization on the server. Public reporting also notes that exploitation may permit bypass of intended access restrictions in addition to arbitrary code execution.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a comprehensive exploitation toolkit for Apache Shiro <= 1.2.4 (CVE-2016-4437), focusing on the 'rememberMe' deserialization vulnerability. It provides multiple Python scripts for different attack stages: key/module brute-forcing (shiro_crack.py, shiro_piliang_crack.py), remote code execution (shiro-rce/shiro_rce.py, shiro_shuyu/shiro_rce.py), reverse shell access (shiro_getshell/shiro_getshell.py), and detection/fuzzing (fuzz-shiro/check_shiro.py, thread_check.py). The core technique is to generate malicious serialized Java objects (using ysoserial.jar) encrypted with various known Shiro keys, and deliver them via the 'rememberMe' cookie in HTTP requests. The toolkit supports both single-target and batch exploitation, and includes modules for different gadget chains (CommonsBeanutils1, CommonsCollections1-6, JRMPClient). The repository is operational and can be used to achieve full remote code execution and shell access on vulnerable Shiro deployments.
This repository provides a Python-based exploit tool ('shisoserial.py') targeting Apache Shiro deserialization vulnerabilities, specifically CVE-2016-4437. The tool can: - Check if a target web application is using the Shiro framework by probing for the 'rememberMe' cookie behavior. - Brute-force the Shiro encryption key using a built-in dictionary ('lib/shiro_keys.txt') or a user-supplied key. - Generate and deliver ysoserial-based Java deserialization payloads (using either CBC or GCM encryption) to exploit vulnerable Shiro instances, enabling remote command execution (default command: 'whoami', customizable by the user). - Support batch targeting via a file of URLs, proxy configuration, POST/GET methods, and multithreading for mass exploitation. The main entry point is 'shisoserial.py', which implements all exploit logic and command-line parsing. The repository also includes documentation in both English and Chinese, a requirements file for dependencies, and a list of common Shiro keys. The attack vector is network-based, targeting web applications over HTTP/HTTPS. The tool is operational and provides real exploitation capabilities, not just detection.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Apache Shiro remote code execution vulnerability listed among those targeted in the campaign.
Apache Shiro rememberMe deserialization vulnerability caused by use of a hardcoded default AES key in vulnerable versions, enabling exploitation via crafted rememberMe cookies.
An Apache Shiro remote code execution vulnerability listed as targeted in the campaign's broader exploitation activity.
A critical Apache Shiro rememberMe deserialization flaw affecting versions before 1.2.5 that can allow unauthenticated remote code execution when the default or known cipher key is used.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.