Critical vulnerabilities have been found in one of the most popular databases i.e. MySQL.

David Golunski, a security researcher discovered two zero days, which allow an attacker to access the complete database. All the current supported versions of MySQL are vulnerable to this vulnerability.

  • MySQL Remote Root Code Execution (CVE-2016-6662)
  • Privilege Escalation (CVE-2016-6663)

Earlier David Golunski published exploit for CVE-2016-6662  at his blog. He reported this issue to Oracle but they didn’t fix it.

Golunski promised to publish exploit for another bug(CVE-2016-6663) too.
Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks – Percona Server and MariaDB.
Now Golunski has published the proof-of-concept exploit code for both the vulnerabilities.
Exploit 1
Exploit 2
The vulnerabilities have been fixed by their vendors and released a security patch for these.



Author: Yogesh Prasad

Ethical Hacker, Information Security Consultant, Entrepreneur, Founder – Hackers Interview