PatchSiren cyber security CVE debrief
CVE-2016-10098 Sendquick CVE debrief
CVE-2016-10098 is a critical command injection vulnerability affecting SendQuick Entera and Avera SMS gateway appliances before 2HF16. The issue is documented as allowing attackers to execute arbitrary system commands, and NVD classifies it as remotely reachable with no authentication and no user interaction required. Organizations using these appliances should treat exposed management or service interfaces as high risk until the affected firmware is identified and remediated.
- Vendor
- Sendquick
- Product
- CVE-2016-10098
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-05
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-05
- Advisory updated
- 2026-05-13
Who should care
Security teams, network administrators, and operations staff responsible for SendQuick Entera or Avera SMS gateway appliances should prioritize this issue, especially if the devices are reachable from untrusted networks or used in sensitive messaging workflows.
Technical summary
The published vulnerability data describes multiple command injection flaws in SendQuick Entera and Avera devices running firmware before 2HF16. NVD assigns CWE-77 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-exploitable issue with no privileges or user interaction required and the potential for full confidentiality, integrity, and availability impact. The source corpus also links a third-party advisory and a SecurityFocus BID reference.
Defensive priority
Immediate. The combination of remote reachability, no authentication, and high impact places this issue in the highest remediation tier for affected environments.
Recommended defensive actions
- Inventory all SendQuick Entera and Avera SMS gateway appliances and confirm firmware versions.
- Identify any systems running firmware before 2HF16 and prioritize them for remediation.
- Apply vendor guidance or firmware updates that move devices beyond the affected pre-2HF16 range, if available.
- Restrict network access to appliance management and service interfaces to trusted administrative segments only.
- Monitor logs and telemetry for signs of unexpected command execution or unusual appliance behavior.
- If a device cannot be updated promptly, isolate it and plan replacement or compensating controls.
Evidence notes
Primary details come from the NVD record for CVE-2016-10098, which lists affected SendQuick Entera SMS Gateway firmware and SendQuick Avera SMS Gateway firmware, both vulnerable before 2HF16, and maps the weakness to CWE-77. The supplied CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The corpus also includes a SecurityFocus BID 96129 reference and a third-party advisory link from Niantech. No KEV entry is provided in the supplied enrichment.
Official resources
-
CVE-2016-10098 CVE record
CVE.org
-
CVE-2016-10098 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Press/Media Coverage, Third Party Advisory, URL Repurposed
Published in NVD and the CVE record on 2017-02-05; later modified on 2026-05-13. The supplied enrichment does not list this CVE in CISA KEV.