CVE-2016-15048
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-12-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amttgroup | hibos | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2016-15048 is a critical vulnerability in the AMTT Hotel Broadband Operation System (HiBOS) that allows unauthenticated remote attackers to execute arbitrary system commands. This happens because the /manager/radius/server_ping.php endpoint takes a user-supplied 'ip' parameter and directly inserts it into a shell command without proper validation or escaping. Attackers can inject shell metacharacters into this parameter to run arbitrary commands with the privileges of the web server user. Additionally, there is a stored Cross-Site Scripting (XSS) vulnerability in the language management interface, which is accessible without proper authorization, allowing attackers to inject malicious scripts that execute upon user login. [2, 4]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote code execution on the affected system, allowing attackers to run arbitrary commands as the web server user, potentially leading to system compromise, data theft, or disruption of services. The stored XSS vulnerability can lead to session hijacking, unauthorized access, and further exploitation by injecting malicious scripts that execute when users log in. Since the vulnerability requires no authentication and no user interaction, it is highly exploitable and poses a critical risk to system confidentiality, integrity, and availability. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the /manager/radius/server_ping.php endpoint with malicious payloads in the ip parameter to test for command injection. For example, you can use curl to send a request with shell metacharacters in the ip parameter to see if arbitrary commands are executed. A sample command might be: curl -G --data-urlencode "ip=127.0.0.1;id" http://<target>/manager/radius/server_ping.php. If the output includes the result of the injected command (e.g., output of 'id'), the system is vulnerable. Additionally, scanning tools like Nuclei have proof-of-concept templates available to automate detection of this vulnerability. [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /manager/radius/server_ping.php endpoint to trusted users or internal networks, applying input validation and sanitization on the ip parameter to prevent shell metacharacter injection, and contacting the vendor for official patches or remediation guidance. Since no specific patch details are provided, users should also monitor for suspicious activity and consider disabling or restricting the vulnerable functionality until a fix is available. [2, 4]