PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-8212 Netbsd CVE debrief

CVE-2015-8212 is a critical NetBSD vulnerability in bozohttpd CGI handling that can allow a remote attacker to execute arbitrary code by supplying crafted arguments to a non-CGI-aware program. NVD marks the issue as CVSS 9.8 with full confidentiality, integrity, and availability impact. The affected NetBSD releases listed by NVD are 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0.

Vendor
Netbsd
Product
CVE-2015-8212
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

NetBSD administrators and operators who expose bozohttpd or CGI-enabled web services on affected NetBSD releases should treat this as urgent. Security teams responsible for internet-facing NetBSD hosts should also prioritize validation and remediation.

Technical summary

The NVD record describes a CGI handling flaw in bozohttpd where crafted arguments can be passed to a program that is not CGI-aware, creating a path to arbitrary code execution. NVD maps the weakness to CWE-20 and rates the issue CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote, unauthenticated exploitation potential with severe impact.

Defensive priority

Urgent. This is a network-reachable, unauthenticated remote code execution class issue with critical CVSS scoring and complete CIA impact in the NVD vector. Exposed systems should be reviewed and remediated as soon as possible.

Recommended defensive actions

  • Identify NetBSD systems running affected versions: 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0.
  • Review whether bozohttpd and any CGI functionality are enabled on those systems.
  • Apply the remediation guidance from the NetBSD-SA2016-005 vendor advisory and move affected hosts to a non-vulnerable NetBSD release.
  • Restrict exposure of any affected web service until remediation is complete.
  • Validate web-facing NetBSD assets in inventory, including custom builds and appliances that may embed bozohttpd.
  • Monitor for unexpected behavior on internet-facing NetBSD services while remediation is being scheduled.

Evidence notes

This debrief is based only on the provided official vulnerability corpus: the CVE record, the NVD detail entry, and the referenced NetBSD vendor advisory link. The corpus states that the flaw affects NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0, and that the impact is remote arbitrary code execution via crafted CGI arguments handled by a non-CGI-aware program. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-20.

Official resources

The CVE was published on 2017-01-19. The provided record was later modified on 2026-05-13. The NetBSD vendor advisory referenced in the corpus is NetBSD-SA2016-005.