CVE-2016-6267
published 2017-01-30CVE-2016-6267: SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
54.87%
98.9th percentile
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) spare_Community, (2) spare_AllowGroupIP, or (3) spare_AllowGroupNetmask parameter to admin_notification.php.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendmicro | smart_protection_server | — | — |
| trendmicro | smart_protection_server | — | — |
| trendmicro | smart_protection_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to admin_notification.php containing shell metacharacters (e.g., ;, |, $(), ``) in the spare_Community, spare_AllowGroupIP, or spare_AllowGroupNetmask parameters. ↗
- →Exploitation is performed via authenticated HTTP requests; alert on authenticated sessions issuing suspicious requests to admin_notification.php on Trend Micro Smart Protection Server instances. ↗
- →The injection point passes untrusted input to a system command via ServWebExec; monitor for unexpected child processes spawned by the web server process on Smart Protection Server hosts. ↗
- →The vulnerable component is SnmpUtils; monitor for SNMP-related configuration requests that trigger OS command execution on affected builds (SPS 2.5 < build 2200, 2.6 < build 2106, 3.0 < build 1330). ↗
- ·Exploitation requires valid credentials; unauthenticated attackers cannot directly trigger the command injection. ↗
- ·The Metasploit module targets this vulnerability via the Linux HTTP attack surface; ensure detections cover the web interface of Smart Protection Server, not just SNMP network traffic. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-01-30
Published