PatchSiren cyber security CVE debrief
CVE-2016-3063 Netapp CVE debrief
CVE-2016-3063 affects NetApp OnCommand System Manager before 8.3.2. According to the NVD description and NetApp references, multiple functions do not properly escape special characters, which can let a remote authenticated user execute arbitrary API calls through unspecified vectors. NetApp’s advisory and KB entry indicate a vendor fix is available, and the vulnerable version range ends at 8.3.1.
- Vendor
- Netapp
- Product
- CVE-2016-3063
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-07
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-07
- Advisory updated
- 2026-05-13
Who should care
Organizations using NetApp OnCommand System Manager, especially environments where remote authenticated users can reach the management interface. Administrators responsible for storage management, platform hardening, and patch compliance should prioritize review.
Technical summary
The issue is an input-escaping failure in multiple functions of OnCommand System Manager. NVD classifies the weakness as CWE-116 and lists the affected CPE as NetApp OnCommand System Manager versions through 8.3.1. The CVSS 3.0 vector is AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable issue requiring authentication and presenting high potential impact. The public record does not specify the exact attack vectors beyond arbitrary API call execution.
Defensive priority
High. The flaw is authenticated and network-reachable, but it can affect confidentiality, integrity, and availability if exposed. Because a vendor fix is referenced and vulnerable versions are clearly bounded, patching and access review should be prioritized.
Recommended defensive actions
- Upgrade NetApp OnCommand System Manager to 8.3.2 or later, per the vendor references.
- Review which users can authenticate to the management interface and restrict access to only necessary administrative accounts and networks.
- Audit management-plane logs for unusual or unexpected API activity around the affected system.
- Confirm whether any deployed instances are running versions at or below 8.3.1 and remediate them first.
- Follow NetApp advisory guidance from the referenced KB and security advisory for product-specific mitigation steps.
- After remediation, validate the installed version and confirm the management interface is not exposed more broadly than required.
Evidence notes
Primary evidence comes from the NVD record and the linked NetApp references. NVD states: multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, enabling remote authenticated users to execute arbitrary API calls via unspecified vectors. NVD also lists the affected version range through 8.3.1, CWE-116, and the CVSS 3.0 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. NetApp references include a KB article titled "CVE-2016-3063 ZAPI injection vulnerability in OnCommand System Manager" and advisory ntap-20160310-0004.
Official resources
-
CVE-2016-3063 CVE record
CVE.org
-
CVE-2016-3063 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the CVE/NVD record dated 2017-02-07. Vendor advisory references are included in the official record.