CVE-2016-3715

What Is ImageMagick?

ImageMagick is the dominant open-source image processing library used by web applications, content management systems, and media processing pipelines worldwide. It processes user-supplied image files on the server side to perform format conversion, resizing, watermarking, and other transformations. Because ImageMagick handles arbitrary user input, vulnerabilities in its file processing pipeline directly translate to vulnerabilities in any web application that uses it — regardless of the application's own input validation.

CVE-2016-3715 is part of the ImageTragick cluster of vulnerabilities (CVE-2016-3714 through CVE-2016-3718) disclosed simultaneously on May 4, 2016. While CVE-2016-3714 (shell injection) enables remote code execution, CVE-2016-3715 specifically enables arbitrary file deletion through ImageMagick's EPHEMERAL pseudo-protocol.

Overview

CVE-2016-3715 is an arbitrary file deletion vulnerability in ImageMagick arising from the behavior of the ephemeral: pseudo-protocol. When ImageMagick processes an image with a filename or embedded reference using the ephemeral: prefix, it reads the file and then deletes it after reading. An attacker who can supply a crafted image filename or content can cause ImageMagick to delete arbitrary files accessible to the web server process — including application files, configuration files, or security-critical system files. Part of the ImageTragick disclosure (May 2016). CISA added CVE-2016-3715 to the inaugural KEV catalog on November 3, 2021.

Affected Versions

Technical Details

Root Cause: EPHEMERAL Pseudo-Protocol Deletes Files After Reading

CVE-2016-3715 exploits the by-design behavior of ImageMagick's ephemeral: pseudo-protocol (CWE-749). The EPHEMERAL coder is designed for temporary file handling: it reads a file's content and then deletes the file from the filesystem after reading — behavior that was intended for temporary processing scenarios.

When an attacker can influence the filename or path passed to ImageMagick (through an image upload, a URL reference in an MVG file, or another input vector), they can supply a path prefixed with ephemeral::

ephemeral:/etc/passwd
ephemeral:/var/www/html/config.php
ephemeral:/home/webuser/.ssh/authorized_keys

ImageMagick reads the file (which may succeed or fail depending on permissions) and then unconditionally deletes it from the filesystem. The web server process user (e.g., www-data) needs only write permission to the target file's directory for deletion to succeed.

Attack Impact

Arbitrary file deletion enables:

• Denial of service — deleting critical application files (configuration, index pages, database files if accessible)
• Security bypass — deleting security controls, authentication databases, or lock files
• Forced reset attacks — deleting configuration files that cause applications to regenerate with default (weak) credentials on restart
• Log destruction — deleting application or system logs to cover traces of prior exploitation

ImageTragick CVE Cluster

CVE-2016-3715 was disclosed alongside the higher-severity CVE-2016-3714 (shell injection / RCE) in the ImageTragick disclosure. In practice, attackers chaining the ImageTragick vulnerabilities prioritized CVE-2016-3714 for immediate RCE; CVE-2016-3715 was used for persistence destruction and covering tracks.

Attack Characteristics

Discovery

Discovered and disclosed by Nikolay Ermishkin (Mail.Ru Security Team) and "Stewie" as part of the ImageTragick coordinated disclosure on May 4, 2016.

Exploitation Context

• ImageTragick cluster: CVE-2016-3715 was disclosed simultaneously with CVE-2016-3714 (RCE) and three other ImageMagick vulnerabilities; in practice, the RCE vulnerability attracted the most attention, but file deletion was used in combination attacks to disable security logging or remove evidence of compromise
• Web application attack surface: Any web application that processes user-supplied image filenames through ImageMagick — including those that allow users to specify source image URLs — is potentially vulnerable to CVE-2016-3715 if the EPHEMERAL coder is not disabled
• Inaugural CISA KEV batch: CVE-2016-3715 was included in CISA's November 3, 2021 inaugural KEV release alongside CVE-2016-3718 (ImageMagick SSRF), reflecting confirmed exploitation of the ImageTragick cluster
• Persistent unpatched exposure: Like CVE-2016-3714, the long tail of unpatched ImageMagick installations and vulnerable web applications means the ImageTragick cluster has remained exploitable for years after disclosure

Remediation

1. Update ImageMagick to 6.9.4+ or 7.0.2+ — apply the fully patched version via package manager (apt upgrade imagemagick, yum update imagemagick). Verify with convert --version.

2. Disable the EPHEMERAL coder in policy.xml — add to ImageMagick's policy.xml:

   <policy domain="coder" rights="none" pattern="EPHEMERAL" />
   

   This prevents the EPHEMERAL pseudo-protocol from functioning and eliminates CVE-2016-3715.

3. Apply the full ImageTragick policy.xml — disable all dangerous coders simultaneously (see CVE-2016-3714 remediation for the full policy block covering EPHEMERAL, HTTPS, MVG, MSL, URL, HTTP).

4. Run ImageMagick under a restricted process user — configure the web server to run ImageMagick processing as a dedicated user with minimal filesystem permissions; limit write access to only the directories required for temporary image processing.

5. Monitor for unexpected file deletions — configure filesystem auditing (auditd, inotifywait) on sensitive application directories to alert on unexpected file deletions from the web server process user.