cbcvebase.
CVE-2016-7836
published 2017-06-09

CVE-2016-7836: SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-11-04
Exploited in the wild
EPSS
19.38%
97.0th percentile
SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.

Affected

2 ranges
VendorProductVersion rangeFixed in
sky_co_ltdskysea_client_view
skygroupskysea_client_view<= 11.221.03

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2016-7836 is exploited via a flaw in processing authentication on the TCP connection with the SKYSEA Client View management console program; monitor for unexpected/unauthenticated TCP connections to SKYSEA Client View management console ports
  • CVE-2016-7836 has been observed as an initial access vector by the REDBALDKNIGHT (BRONZE BUTLER / Tick) APT group to install the Daserf backdoor (BKDR_DASERF / Muirim / Nioupale) on victim machines; detections for Daserf post-exploitation activity should be correlated with SKYSEA Client View exploitation
  • Daserf v1.72 and later versions use alternative base64+RC4 encryption for C2 feedback data and steganographic techniques; network traffic containing base64+RC4-encoded data to/from image-hosting sites may indicate active Daserf C2 communication post-exploitation
  • REDBALDKNIGHT's XXMM downloader (TROJ_KVNDM) and Daserf share the same steganography algorithm (alternative base64 + RC4); detections for either malware family should be cross-correlated as indicators of the same threat actor post-CVE-2016-7836 exploitation
  • ·CVE-2016-7836 affects SKYSEA Client View Ver.11.221.03 and earlier only; versions patched after March 2017 are not vulnerable
  • ·No specific malicious hashes, IPs, domains, or URLs for CVE-2016-7836 exploitation infrastructure are provided in the available sources; the Trend Micro appendix listing IOCs (hashes, C&Cs) is referenced but not reproduced in the source document

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.