PatchSiren cyber security CVE debrief
CVE-2016-6266 Trendmicro CVE debrief
CVE-2016-6266 is a high-severity authenticated remote command execution vulnerability in Trend Micro Smart Protection Server. The issue affects Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330. According to the NVD description, shell metacharacters in multiple parameters handled by cccca_ajaxhandler.php can let a remote authenticated user execute arbitrary commands.
- Vendor
- Trendmicro
- Product
- CVE-2016-6266
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-30
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-30
- Advisory updated
- 2026-05-13
Who should care
Security teams and administrators running Trend Micro Smart Protection Server 2.5, 2.6, or 3.0 prior to the fixed builds, especially if authenticated users can reach the affected web interface.
Technical summary
NVD describes the flaw as remote authenticated command execution via shell metacharacters in the host or apikey parameter during register and test_connection actions, and in the enable parameter during save_stting. The vulnerability is network-reachable, requires low privileges, and has full confidentiality, integrity, and availability impact per the CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. NVD lists CWE-20 as the primary weakness.
Defensive priority
High. The combination of network exposure, authenticated access only, and full system-impact potential makes this a priority remediation item for any affected deployment.
Recommended defensive actions
- Upgrade Trend Micro Smart Protection Server to the vendor-fixed builds: 2.5 build 2200 or later, 2.6 build 2106 or later, and 3.0 build 1330 or later.
- Restrict administrative and authenticated access to the Smart Protection Server web interface to only trusted management networks.
- Review application and system logs for suspicious activity involving register, save_stting, or test_connection actions and unexpected command execution behavior.
- Audit which accounts can authenticate to the interface and remove unnecessary privileged access.
- If immediate patching is not possible, reduce exposure by segmenting the server and tightly limiting inbound access until remediation is complete.
Evidence notes
The NVD record and CVE description both identify authenticated command execution in cccca_ajaxhandler.php and list the affected product versions. NVD assigns CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-20. The Trend Micro advisory link is the vendor reference for mitigation and patch guidance, and the third-party technical reference provides supporting technical context. The CVE was published on 2017-01-30; the 2026 modified date reflects a database update, not the original disclosure date.
Official resources
-
CVE-2016-6266 CVE record
CVE.org
-
CVE-2016-6266 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mitigation, Patch, Vendor Advisory
Publicly disclosed on 2017-01-30 per the CVE publication timestamp. The 2026-05-13 modified timestamp reflects later record maintenance, not the initial vulnerability disclosure.