PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6601 Zohocorp CVE debrief

CVE-2016-6601 describes a directory traversal issue in the file download feature of ZOHO WebNMS Framework 5.2 and 5.2 SP1. The NVD record states that a remote attacker can supply path traversal sequences in the fileName parameter to servlets/FetchFile to read arbitrary files. Because the issue is network-reachable, requires no authentication, and exposes file contents, it is a high-priority confidentiality risk for any exposed WebNMS deployment.

Vendor
Zohocorp
Product
CVE-2016-6601
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Administrators and security teams running ZOHO WebNMS Framework 5.2 or 5.2 SP1, especially on systems exposed to untrusted networks. Incident responders should also care if these versions were reachable from the internet or used for sensitive operational data.

Technical summary

The vulnerability is classified as CWE-22 (path traversal). In affected WebNMS Framework versions, the file download functionality does not adequately constrain user-controlled path input, allowing traversal via .. sequences in the fileName parameter passed to servlets/FetchFile. The CVSS vector in the source record is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating unauthenticated remote exploitation with high confidentiality impact and no direct integrity or availability impact in the CVSS assessment.

Defensive priority

High. Prioritize any externally reachable WebNMS Framework 5.2/5.2 SP1 instance because the flaw is unauthenticated, network-accessible, and can expose arbitrary files.

Recommended defensive actions

  • Inventory all instances of ZOHO WebNMS Framework and confirm whether version 5.2 or 5.2 SP1 is deployed.
  • Restrict or disable access to the affected file download servlet path (servlets/FetchFile) until a non-vulnerable release or vendor remediation is in place.
  • Review web and application logs for suspicious fileName requests containing traversal patterns such as ../ or encoded equivalents.
  • Check for exposure of sensitive files that could have been readable through the traversal flaw and rotate any credentials or secrets that may have been exposed.
  • Follow vendor guidance and ensure affected systems are moved to a non-vulnerable version or otherwise remediated according to official instructions.

Evidence notes

The vulnerability description, affected versions, and attack surface come from the supplied NVD record for CVE-2016-6601. The record lists CWE-22 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Reference entries in the record include third-party advisories, exploit-related writeups, and a vendor forum post, but this debrief limits itself to the facts present in the supplied corpus.

Official resources

The CVE was published in the official record on 2017-01-23. The supplied NVD metadata also lists multiple third-party advisories and exploit-related references, which indicates public discussion of the issue in the wider security community;