PatchSiren cyber security CVE debrief
CVE-2016-6267 Trendmicro CVE debrief
CVE-2016-6267 describes an authenticated command injection issue in Trend Micro Smart Protection Server’s SnmpUtils handling for admin_notification.php. If an attacker can authenticate to the product, shell metacharacters in specific parameters may be used to execute arbitrary commands on affected systems.
- Vendor
- Trendmicro
- Product
- CVE-2016-6267
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-30
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-30
- Advisory updated
- 2026-05-13
Who should care
Organizations running Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, or 3.0 before build 1330 should treat this as important. Security teams responsible for web-administered appliance/software platforms should also prioritize it because the impact is full remote command execution once authentication is obtained.
Technical summary
The vulnerability is described as a shell metacharacter injection flaw in SnmpUtils within admin_notification.php. The affected parameters are spare_Community, spare_AllowGroupIP, and spare_AllowGroupNetmask. NVD lists the weakness under CWE-20 and rates the issue CVSS 3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network reachability, low attack complexity, and high confidentiality, integrity, and availability impact.
Defensive priority
High. The issue is network-reachable and can lead to arbitrary command execution by a remote authenticated user, so exposed or actively administered Smart Protection Server deployments should be patched quickly.
Recommended defensive actions
- Upgrade Trend Micro Smart Protection Server to a fixed build: 2.5 build 2200 or later, 2.6 build 2106 or later, or 3.0 build 1330 or later.
- Review and restrict administrative access to Smart Protection Server accounts, since the attack requires authentication.
- Validate that any systems matching the affected product versions are inventoried and scheduled for remediation.
- Check vendor guidance in the Trend Micro advisory for product-specific mitigation steps and patch availability.
- Inspect administrative and application logs for unexpected use of admin_notification.php or unusual parameter values.
Evidence notes
All material facts in this debrief are taken from the supplied NVD record and the linked Trend Micro and third-party references. The CVE description states that authenticated remote users can execute arbitrary commands via shell metacharacters in spare_Community, spare_AllowGroupIP, or spare_AllowGroupNetmask in admin_notification.php. NVD lists affected Smart Protection Server versions/builds and a CVSS 3.1 score of 8.8 with CWE-20.
Official resources
-
CVE-2016-6267 CVE record
CVE.org
-
CVE-2016-6267 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mitigation, Patch, Vendor Advisory
CVE-2016-6267 was published on 2017-01-30T22:59:00.577Z. The supplied NVD record shows a later modification timestamp of 2026-05-13T00:24:29.033Z, which should be treated as record update context rather than the vulnerability's original发布时间