PatchSiren cyber security CVE debrief
CVE-2016-8360 Moxa CVE debrief
CVE-2016-8360 describes a double free condition in Moxa SoftCMS ASP Webserver that can be triggered by a specially crafted URL request. According to the CVE record, affected versions are SoftCMS prior to 1.6, and the impact may include denial of service or arbitrary code execution. The NVD record maps the weakness to CWE-415 and rates the issue HIGH with a network attack vector and no privileges or user interaction required.
- Vendor
- Moxa
- Product
- CVE-2016-8360
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Organizations running Moxa SoftCMS, especially in industrial or OT environments, should treat this as a high-priority vulnerability. Security teams responsible for externally reachable web services, plant network segmentation, and asset inventory should also review exposure.
Technical summary
The vulnerability is a double free in the SoftCMS ASP Webserver reachable through a crafted URL request. NVD identifies the weakness as CWE-415 and lists affected Moxa SoftCMS versions up to and including 1.5, with version 1.6 indicated as the fixed boundary in the CVE description. Because the issue is network-reachable and can affect memory management, it may be exploitable for service disruption and potentially code execution, depending on runtime conditions.
Defensive priority
High. The issue is remotely reachable and has high potential impact on confidentiality, integrity, and availability. Even with CVSS AC:H, the combination of no authentication, no user interaction, and possible code execution makes exposure worth urgent review.
Recommended defensive actions
- Inventory all Moxa SoftCMS deployments and determine whether any instance is running version 1.5 or earlier.
- Upgrade SoftCMS to version 1.6 or later, using vendor-supported remediation guidance where available.
- Restrict access to the SoftCMS ASP Webserver to trusted management networks only.
- Monitor webserver and application logs for unusual or malformed URL requests.
- Apply network segmentation and compensating controls for any systems that cannot be upgraded immediately.
- Validate that only authorized administrators can reach the management interface from the network.
- Track the NVD and official advisory references for any additional remediation details or product guidance.
Evidence notes
This debrief is based on the supplied CVE record and NVD metadata. The core vulnerability description comes from the CVE text in the source corpus. Affected versions are taken from the NVD CPE criteria indicating Moxa SoftCMS through 1.5. The weakness classification CWEs and CVSS vector are also taken from the NVD record. Official and government-linked references provided in the corpus include the CVE record, NVD detail page, and ICS-CERT advisory reference URLs.
Official resources
-
CVE-2016-8360 CVE record
CVE.org
-
CVE-2016-8360 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Mitigation, Third Party Advisory, US Government Resource
Publicly disclosed in the CVE record on 2017-02-13. The NVD entry was later modified on 2026-05-13, which is metadata update timing and not the original issue date.