PatchSiren cyber security CVE debrief

CVE-2016-7565 Exponentcms CVE debrief

CVE-2016-7565 is a critical remote code execution issue in Exponent CMS 2.3.9. According to the CVE description, attacker-controlled shell metacharacters in the sc array parameter of install/index.php can be used to execute arbitrary commands. NVD rates the issue CVSS 3.0 9.8, reflecting unauthenticated network attackability and high impact to confidentiality, integrity, and availability.

Vendor: Exponentcms
Product: CVE-2016-7565
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Organizations running Exponent CMS 2.3.9, especially any internet-facing installations or systems where the installer path remains reachable. Security teams responsible for web application patching, exposure review, and CMS hardening should treat this as urgent.

Technical summary

The vulnerable component is install/index.php in Exponent CMS 2.3.9. The CVE description states that remote attackers can execute arbitrary commands via shell metacharacters in the sc array parameter. NVD assigns a CVSS vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and maps the weakness to CWE-284. The CVE record cites a vendor advisory, a patch commit in the Exponent CMS GitHub repository, and the v2.4.0 release as remediation references.

Defensive priority

High priority. This is a network-reachable, unauthenticated, critical-impact issue. If the affected version is exposed, remediation should be treated as urgent.

Recommended defensive actions

Upgrade Exponent CMS to a fixed release referenced by the project, including v2.4.0 or later.
If immediate upgrade is not possible, restrict access to the installation path and remove or disable any exposed installer if operationally feasible.
Verify whether any Exponent CMS 2.3.9 instances are internet-facing or otherwise reachable by untrusted users.
Review web server and application logs for unexpected activity involving install/index.php and the sc parameter.
Confirm the vulnerable version is not present in backup, staging, or forgotten legacy deployments.
Track the vendor advisory and patch references cited in the CVE record for environment-specific remediation guidance.

Evidence notes

Source evidence is limited to the supplied NVD CVE record and referenced official links. The CVE description states that install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter. NVD lists CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, CWE-284, and a vulnerable CPE for exponentcms:exponent_cms:2.3.9. The record references an oss-security post dated 2016-09-22, a vendor Lighthouse changeset, a GitHub patch commit, and the v2.4.0 release.

Official resources

CVE-2016-7565 CVE record
CVE.org
CVE-2016-7565 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]

The CVE was published by NVD on 2017-02-13. The CVE record cites an oss-security mailing-list post dated 2016-09-22, along with vendor and patch references, indicating public disclosure and remediation activity occurred before CVE record发布.