CVE-2016-5742 Sixapart CVE debrief

Who should care

Administrators and security teams responsible for Movable Type Pro/Advanced 6.x or Movable Type Open Source 5.2.13 and earlier, especially if XML-RPC is exposed to untrusted networks. Database administrators should also care because successful exploitation can directly affect the backend database.

Technical summary

NVD classifies the flaw as CWE-89 (SQL Injection) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is in the XML-RPC interface and is reachable remotely without privileges or user interaction. The reported impact is arbitrary SQL command execution, which implies potential full compromise of application data confidentiality, integrity, and availability.

Defensive priority

Critical. Treat as an urgent patching issue for any exposed or production Movable Type deployment in the affected version ranges.

Recommended defensive actions

• Upgrade Movable Type Pro/Advanced to 6.1.3 or 6.2.6, or later.
• Upgrade Movable Type Open Source to a version later than 5.2.13.
• If immediate upgrading is not possible, restrict access to the XML-RPC interface to trusted hosts only until remediation is complete.
• Review application and database logs for suspicious XML-RPC requests or unexpected SQL-related errors.
• Validate that no legacy deployments remain on affected versions across all environments, including staging and archived instances.

Evidence notes

Source corpus supports the affected versions, attack surface, and impact: the NVD record lists SQL injection in the XML-RPC interface, remote arbitrary SQL execution, CWE-89, and the affected version ranges. The referenced Movable Type release notes on 2016-06-22 indicate the fixed 6.1.3 and 6.2.6 releases. CVE publication date used here is 2017-01-23 from the supplied record; that is distinct from the earlier vendor reference dates.

Official resources