CVE-2016-9269

high-risk
Published 2017-02-21

Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to run arbitrary commands on the system as root via Patch Update functionality. This was resolved in Version 6.5 CP 1737.

Do I need to act?

~
6.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
41361
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Trendmicro

References (6)

http://www.securityfocus.com/bid/96252
http://www.securitytracker.com/id/1037849
Patch https://success.trendmicro.com/solution/1116672
http://www.securityfocus.com/bid/96252
http://www.securitytracker.com/id/1037849
Patch https://success.trendmicro.com/solution/1116672
54
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 16/34 · Moderate
Exposure 5/34 · Minimal