Magento versions prior to 2.0.6 suffer from an unauthenticated arbitrary unserialize to arbitrary write file vulnerability.