CVE-2016-6600 Zohocorp CVE debrief

Who should care

Administrators and developers responsible for ZOHO WebNMS Framework 5.2/5.2 SP1 deployments, especially any system exposing FileUploadServlet or accepting user-controlled uploads.

Technical summary

The supplied NVD metadata maps this issue to CWE-22 (path traversal). The vulnerability description states that a .. sequence in the fileName parameter can bypass intended upload path restrictions. In the described impact, that traversal can be used to place a JSP file in a location where it may be executed by the server, creating a remote code execution risk on affected deployments.

Defensive priority

Immediate. The CVSS 3.0 base score is 9.8/CRITICAL, and the attack vector is network-based with no privileges or user interaction required.

Recommended defensive actions

• Inventory deployments to confirm whether ZOHO WebNMS Framework 5.2 or 5.2 SP1 is in use.
• Restrict or disable access to servlets/FileUploadServlet from untrusted networks until a vendor-supported fix is in place.
• Validate and canonicalize uploaded filenames on the server side so path traversal sequences are rejected.
• Prevent execution of JSP or other server-side script files in upload directories.
• Review logs and file-system locations used for uploads for unexpected JSP or other webshell-like files.
• Follow vendor and NVD-linked advisories for any available patch, workaround, or upgrade path.

Evidence notes

Supported by the supplied NVD record: CVE-2016-6600 affects ZOHO WebNMS Framework 5.2 and 5.2 SP1, is classified as CWE-22, and has the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The supplied metadata also lists third-party advisories and exploit references, but no remediation details were included in the source corpus.

Official resources