CVE-2016-6648 Emc CVE debrief

Who should care

Administrators, security teams, and platform owners running EMC RecoverPoint or RecoverPoint for Virtual Machines, especially environments where configuration privileges are broadly assigned or delegated.

Technical summary

The supplied CVE description says versions before RecoverPoint 4.4.1.1 and RecoverPoint for Virtual Machines 5.0 are affected. NVD’s CPE criteria in the supplied corpus list EMC RecoverPoint through 4.4.1.0 and RecoverPoint for Virtual Machines through 4.0. The underlying weakness is CWE-275 (permission issues) and the NVD CVSS vector is AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating a local attack that requires high privileges and primarily impacts confidentiality.

Defensive priority

Medium — the issue requires privileged local access, but it can expose sensitive information and should be fixed in any environment that allows delegated configuration access.

Recommended defensive actions

• Upgrade EMC RecoverPoint and RecoverPoint for Virtual Machines to vendor-fixed releases and verify the exact affected-version boundary against vendor/NVD guidance.
• Review and correct permissions on the sensitive system file and any related configuration or secret-bearing files.
• Restrict configuration privileges to the minimum necessary set of trusted administrators.
• Audit privileged access and file-access logs for unauthorized reads of sensitive system files.
• Validate hardening baselines after remediation to ensure permissions remain locked down across updates and backups.

Evidence notes

The supplied NVD record shows CVSS v3.0 4.4 with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N and CWE-275. The CVE was published on 2017-02-03 and the NVD record was modified on 2026-05-13. Supplied enrichment marks this as not listed in CISA KEV. Note: the prose description and NVD CPE criteria differ on the exact affected version cutoffs, so remediation should be checked against vendor-fixed release notes and NVD detail.

Official resources