PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6268 Trendmicro CVE debrief

CVE-2016-6268 is a high-severity Trend Micro Smart Protection Server flaw that can let a local webserv user execute arbitrary code with root privileges. The vulnerable builds listed in the NVD record are Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330. The issue is tied to a Trojan horse .war file placed in the Solr webapps directory, and the NVD CVSS vector reflects a local attack path with high impact to confidentiality, integrity, and availability.

Vendor
Trendmicro
Product
CVE-2016-6268
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-30
Original CVE updated
2026-05-13
Advisory published
2017-01-30
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for Trend Micro Smart Protection Server deployments, especially instances running 2.5, 2.6, or 3.0 on builds older than the fixed releases. Because the attack requires local webserv access, systems with any shared administrative access, service accounts, or exposed maintenance paths deserve immediate review.

Technical summary

The NVD record describes a local privilege-escalation condition in Trend Micro Smart Protection Server where a webserv user can use a Trojan horse .war file in the Solr webapps directory to execute arbitrary code as root. NVD classifies the weakness as CWE-264 and assigns CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating low attack complexity but local prerequisites and full system compromise impact if exploited.

Defensive priority

High. Although exploitation is local rather than remote, successful abuse yields root-level arbitrary code execution, which materially increases the risk to appliance integrity and downstream security services.

Recommended defensive actions

  • Confirm whether any Trend Micro Smart Protection Server systems are running 2.5, 2.6, or 3.0.
  • Upgrade affected deployments to a fixed build at or above the vendor-specified versions: 2.5 build 2200, 2.6 build 2106, or 3.0 build 1330.
  • Review local access to the webserv account and restrict administrative and shell access to trusted operators only.
  • Inspect the Solr webapps directory and related application deployment locations for unexpected .war files or other unauthorized artifacts.
  • Validate that the vendor mitigation guidance in Trend Micro advisory 1114913 has been applied.
  • Treat any confirmed unauthorized .war placement or unexpected root execution as a security incident and investigate host integrity.

Evidence notes

The CVE description supplied in the corpus states that Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allow local webserv users to execute arbitrary code with root privileges via a Trojan horse .war file in the Solr webapps directory. The NVD metadata also lists the affected CPEs for those versions, the CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and CWE-264. Vendor and third-party reference links in the record point to Trend Micro advisory 1114913 and a technical write-up.

Official resources

Publicly disclosed on 2017-01-30, based on the CVE publication timestamp supplied in the record. The NVD record was modified on 2026-05-13, but that date reflects record maintenance, not the original issue date.