CVE-2016-6266

Published: Jan 30, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

ccca_ajaxhandler.php in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) host or (2) apikey parameter in a register action, (3) enable parameter in a save_stting action, or (4) host or (5) apikey parameter in a test_connection action.

Affected (3)

Products: Trendmicro: Smart Protection Server

1 product

Smart Protection Server

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Trendmicro Smart Protection Server	Version 2.5
Trendmicro Smart Protection Server	Version 2.6
Trendmicro Smart Protection Server	Version 3.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

https://qkaiser.github.io/pentesting/trendmicro/2016/08/08/trendmicro-sps/

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

https://success.trendmicro.com/solution/1114913

Source: cve@mitre.org

MitigationPatchVendor Advisory

https://qkaiser.github.io/pentesting/trendmicro/2016/08/08/trendmicro-sps/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

https://success.trendmicro.com/solution/1114913

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationPatchVendor Advisory

Timeline

No history available yet.