PatchSiren cyber security CVE debrief

CVE-2016-6269 Trendmicro CVE debrief

CVE-2016-6269 is a critical Trend Micro Smart Protection Server vulnerability involving multiple directory traversal flaws. The issue affects Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330. According to the published vulnerability description, a remote attacker can use the tmpfname parameter in several log management handlers, and the tf parameter in wcs_bwlists_handler.php, to read or delete arbitrary files. The NVD rates the issue 9.1/CRITICAL with a network attack vector and no user interaction required.

Vendor: Trendmicro
Product: CVE-2016-6269
CVSS: CRITICAL 9.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-30
Original CVE updated: 2026-05-13
Advisory published: 2017-01-30
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running Trend Micro Smart Protection Server, especially installations on affected 2.5, 2.6, or 3.0 builds. Teams responsible for file integrity, log systems, and perimeter security monitoring should treat this as high priority because the flaw enables remote file access and deletion.

Technical summary

NVD describes CVE-2016-6269 as multiple CWE-22 directory traversal vulnerabilities in Trend Micro Smart Protection Server. The vulnerable entry points are log_mgt_adhocquery_ajaxhandler.php, log_mgt_ajaxhandler.php, and wcs_bwlists_handler.php, with attack input delivered through the tmpfname or tf parameters. Successful exploitation can allow an unauthenticated remote attacker to traverse directories and access or remove arbitrary files on the server. The published CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Defensive priority

Critical. This is a remotely reachable, no-authentication issue with high confidentiality and integrity impact. Because arbitrary file read and delete are both possible, exposed systems should be prioritized for patching or service isolation immediately.

Recommended defensive actions

Upgrade Trend Micro Smart Protection Server to a fixed build: 2.5 build 2200 or later, 2.6 build 2106 or later, or 3.0 build 1330 or later, as applicable.
Verify internet or internal network exposure of the affected PHP handlers and restrict access to the management interface.
Review logs and file-integrity alerts for unexpected access patterns involving the listed handlers and parameters.
Validate that the vendor advisory and remediation guidance have been applied in the deployed environment.
If immediate patching is not possible, isolate the server at the network layer and limit administrative access to trusted hosts only.

Evidence notes

The vulnerability description and affected versions come from the supplied NVD record and match the published vendor reference. NVD lists the weakness as CWE-22 and assigns CVSS v3.1 9.1/CRITICAL with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The source corpus also includes a Trend Micro vendor advisory reference for mitigation and a third-party technical writeup reference. No KEV record was supplied for this CVE.

Official resources

CVE-2016-6269 CVE record
CVE.org
CVE-2016-6269 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mitigation, Patch, Vendor Advisory

Publicly disclosed in the source record on 2017-01-30T22:59:00.640Z. The supplied record was last modified on 2026-05-13T00:24:29.033Z.