CVE-2016-9499

low-risk
Published 2018-07-13

Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

Do I need to act?

-
0.51% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Ftp Server

Affected Vendors

Accellion

References (6)

Third Party Advisory https://www.kb.cert.org/vuls/id/745607
Exploit https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf
Third Party Advisory https://www.securityfocus.com/bid/96154
Third Party Advisory https://www.kb.cert.org/vuls/id/745607
Exploit https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf
Third Party Advisory https://www.securityfocus.com/bid/96154
28
/ 100
low-risk
Severity 21/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal