PatchSiren cyber security CVE debrief

CVE-2016-6649 Emc CVE debrief

CVE-2016-6649 describes multiple command injection vulnerabilities in EMC RecoverPoint and EMC RecoverPoint for Virtual Machines. According to the CVE description, a malicious administrator with configuration privileges could bypass the user interface and escalate privileges to root. The CVE was published on 2017-02-03 and is rated CVSS 6.7 (Medium).

Vendor: Emc
Product: CVE-2016-6649
CVSS: MEDIUM 6.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-03
Original CVE updated: 2026-05-13
Advisory published: 2017-02-03
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for EMC RecoverPoint and RecoverPoint for Virtual Machines deployments, especially environments where configuration access is delegated or shared.

Technical summary

NVD classifies the weakness as CWE-77 and assigns the vector CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The attack requires local access with high privileges, specifically configuration-level access by a malicious administrator, and can result in root-level compromise. The CVE description and NVD applicability data identify affected EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virtual Machines versions before 5.0, while the NVD CPE criteria also enumerate version ranges ending at RecoverPoint 4.4.1.0 and RecoverPoint for Virtual Machines 4.0.

Defensive priority

Moderate to high for affected deployments: exploitation is privilege-gated, but successful abuse can yield root on critical storage/replication infrastructure. Prioritize remediation where configuration access is not tightly controlled or where the platform supports sensitive replication data.

Recommended defensive actions

Identify any EMC RecoverPoint and RecoverPoint for Virtual Machines instances in your environment and compare them against the vulnerable version ranges in the CVE record and NVD CPE data.
Upgrade to the fixed releases identified in the CVE description: RecoverPoint 4.4.1.1 or later, and RecoverPoint for Virtual Machines 5.0 or later.
Restrict configuration privileges to the smallest possible admin group and review any delegated admin roles for unnecessary access.
Audit for anomalous configuration changes or unexpected command execution activity on affected systems.
Use the official CVE and NVD records as the baseline for internal asset validation and patch tracking.

Evidence notes

The debrief is based on the CVE description, NVD CVSS/CWE metadata, and the NVD CPE applicability entries supplied in the source corpus. The original publication date is 2017-02-03; the 2026-05-13 modified date is metadata update timing and not the issue date. The source corpus also includes third-party advisories referenced by NVD, but this debrief relies on the official record fields for the main claims.

Official resources

CVE-2016-6649 CVE record
CVE.org
CVE-2016-6649 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed in the CVE record on 2017-02-03. Subsequent metadata changes on 2026-05-13 reflect record modification, not original disclosure.