Apache Shiro rememberMe deserialization RCE / auth bypass
CVE-2016-4437 affects Apache Shiro before 1.2.5. When the framework's rememberMe feature is enabled and no custom cipher key has been configured, deployments may rely on the known default/hardcoded AES key used by CookieRememberMeManager. Shiro serializes the rememberMe object, encrypts it with AES, and Base64-encodes it into the rememberMe cookie. An unauthenticated remote attacker who knows the key can craft a malicious serialized Java object, encrypt it into a rememberMe cookie value, and submit it to the application. On deserialization, this can trigger arbitrary code execution via a suitable gadget chain. The same weakness can also permit bypass of intended access restrictions by forging rememberMe state.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a comprehensive exploitation toolkit for Apache Shiro <= 1.2.4 (CVE-2016-4437), focusing on the 'rememberMe' deserialization vulnerability. It provides multiple Python scripts for different attack stages: key/module brute-forcing (shiro_crack.py, shiro_piliang_crack.py), remote code execution (shiro-rce/shiro_rce.py, shiro_shuyu/shiro_rce.py), reverse shell access (shiro_getshell/shiro_getshell.py), and detection/fuzzing (fuzz-shiro/check_shiro.py, thread_check.py). The core technique is to generate malicious serialized Java objects (using ysoserial.jar) encrypted with various known Shiro keys, and deliver them via the 'rememberMe' cookie in HTTP requests. The toolkit supports both single-target and batch exploitation, and includes modules for different gadget chains (CommonsBeanutils1, CommonsCollections1-6, JRMPClient). The repository is operational and can be used to achieve full remote code execution and shell access on vulnerable Shiro deployments.
This repository provides a Python-based exploit tool ('shisoserial.py') targeting Apache Shiro deserialization vulnerabilities, specifically CVE-2016-4437. The tool can: - Check if a target web application is using the Shiro framework by probing for the 'rememberMe' cookie behavior. - Brute-force the Shiro encryption key using a built-in dictionary ('lib/shiro_keys.txt') or a user-supplied key. - Generate and deliver ysoserial-based Java deserialization payloads (using either CBC or GCM encryption) to exploit vulnerable Shiro instances, enabling remote command execution (default command: 'whoami', customizable by the user). - Support batch targeting via a file of URLs, proxy configuration, POST/GET methods, and multithreading for mass exploitation. The main entry point is 'shisoserial.py', which implements all exploit logic and command-line parsing. The repository also includes documentation in both English and Chinese, a requirements file for dependencies, and a list of common Shiro keys. The attack vector is network-based, targeting web applications over HTTP/HTTPS. The tool is operational and provides real exploitation capabilities, not just detection.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Apache Shiro vulnerability listed as weaponized by the threat actor for access operations.
An Apache Shiro remote code execution vulnerability listed among those targeted in the campaign.
Apache Shiro rememberMe deserialization vulnerability caused by use of a hardcoded default AES key in vulnerable versions, enabling exploitation via crafted rememberMe cookies.
An Apache Shiro remote code execution vulnerability listed as targeted in the campaign's broader exploitation activity.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.