CVE-2016-7836
published 2017-06-09CVE-2016-7836: SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-11-04
Exploited in the wild
EPSS
19.38%
97.0th percentile
SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sky_co_ltd | skysea_client_view | — | — |
| skygroup | skysea_client_view | <= 11.221.03 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2016-7836 is exploited via a flaw in processing authentication on the TCP connection with the SKYSEA Client View management console program; monitor for unexpected/unauthenticated TCP connections to SKYSEA Client View management console ports ↗
- →CVE-2016-7836 has been observed as an initial access vector by the REDBALDKNIGHT (BRONZE BUTLER / Tick) APT group to install the Daserf backdoor (BKDR_DASERF / Muirim / Nioupale) on victim machines; detections for Daserf post-exploitation activity should be correlated with SKYSEA Client View exploitation ↗
- →Daserf v1.72 and later versions use alternative base64+RC4 encryption for C2 feedback data and steganographic techniques; network traffic containing base64+RC4-encoded data to/from image-hosting sites may indicate active Daserf C2 communication post-exploitation ↗
- →REDBALDKNIGHT's XXMM downloader (TROJ_KVNDM) and Daserf share the same steganography algorithm (alternative base64 + RC4); detections for either malware family should be cross-correlated as indicators of the same threat actor post-CVE-2016-7836 exploitation ↗
- ·CVE-2016-7836 affects SKYSEA Client View Ver.11.221.03 and earlier only; versions patched after March 2017 are not vulnerable ↗
- ·No specific malicious hashes, IPs, domains, or URLs for CVE-2016-7836 exploitation infrastructure are provided in the available sources; the Trend Micro appendix listing IOCs (hashes, C&Cs) is referenced but not reproduced in the source document ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6gc8-5v43-5g2x: SKYSEA Client View Ver
ghsa_unreviewed·2022-05-17
CVE-2016-7836 [CRITICAL] CWE-287 GHSA-6gc8-5v43-5g2x: SKYSEA Client View Ver
SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.
VulnCheck
SKYSEA Client View Improper Authentication Vulnerability
vulncheck·2016·CVSS 9.8
CVE-2016-7836 [CRITICAL] CWE-287 SKYSEA Client View Improper Authentication Vulnerability
SKYSEA Client View Improper Authentication Vulnerability
SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.
Affected: SKYSEA Client View
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses; https://threatpost.com/virus-bulletin-japanese-attacks-apt-strategygy/148859/; https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/#ref3; https://
CISA
SKYSEA Client View Improper Authentication Vulnerability
cisa·2025-10-14·CVSS 9.8
CVE-2016-7836 [CRITICAL] CWE-287 SKYSEA Client View Improper Authentication Vulnerability
Vulnerability: SKYSEA Client View Improper Authentication Vulnerability
Affected: SKYSEA Client View
SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.skyseaclientview.net/news/161221/ ; https://nvd.nist.gov/vuln/detail/CVE-2016-7836
Remediation Due Date: 2025-11-04
No detection rules found.
No public exploits indexed.
Trendmicro
REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography
blogs_trendmicro·2017-11-07
REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography
# REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography
REDBALDKNIGHT a.k.a BRONZE BUTLER cyberespionage group employ the Daserf backdoor in campaigns. We found that Daserf was not only used on Japanese targets, but also against other countries. We also found versions of Daserf that use steganography.
By: Joey Chen, MingYen Hsieh
2017/11/07
Read time: ( words)
Save to Folio
Additional analysis and insights by Higashi Yuka and Chizuru Toyama
REDBALDKNIGHT, also known as BRONZE BUTLER and Tick, is a cyberespionage group known to target Japanese organizations such as government agencies (including defense) as well as those in biotechnology, electronics manufacturing, and industrial chemistry. Their campaigns employ the Daserf backdoor (detected by Trend Micro as BKDR_DASERF, otherwise
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
http://www.securityfocus.com/bid/95062http://www.skyseaclientview.net/news/161221/https://jvn.jp/en/jp/JVN84995847/index.htmlhttps://www.skygroup.jp/security-info/170308.htmlhttp://www.securityfocus.com/bid/95062http://www.skyseaclientview.net/news/161221/https://jvn.jp/en/jp/JVN84995847/index.htmlhttps://www.skygroup.jp/security-info/170308.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-7836
2017-06-09
Published
2025-10-14
Added to CISA KEV
Exploited in the wild