Cyber Resilience

CVE-2016-15048

CriticalPublic PoCRCE

Published: 22 October 2025

Published
22 October 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0154 81.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-15048 is a critical-severity OS Command Injection (CWE-78) vulnerability in Amttgroup Hibos. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-15048 is an unauthenticated command injection vulnerability in the AMTT Hotel Broadband Operation System (HiBOS), affecting the /manager/radius/server_ping.php endpoint. The application constructs a shell command using a user-supplied ip parameter and executes it without proper validation or escaping, allowing attackers to inject shell metacharacters. This flaw, associated with CWE-78, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted request with malicious input in the ip parameter, enabling arbitrary system command execution as the web server user. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.

Advisories, including the initial 2016 third-party disclosure and VulnCheck's analysis, recommend contacting the vendor for remediation guidance, as no specific patches are detailed. The product may have been rebranded under a different name. Relevant resources include the VulnCheck advisory at https://www.vulncheck.com/advisories/amtt-hibos-command-injection-rce-via-server-ping-php and a Nuclei proof-of-concept at https://github.com/adysec/nuclei_poc/blob/49c283b2bbb244c071786a2b768fbdde1b91f38e/poc/remote_code_execution/hiboss-rce_2.yaml#L21.

VulnCheck observed active exploitation in the wild as of 2025-10-14 at 04:45:53.510819 UTC.

EU & UK References

Vulnerability details

AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert…

more

shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection in a public-facing web endpoint (/manager/radius/server_ping.php) enables remote exploitation (T1190) and arbitrary shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2701Same product: Amttgroup Hibos
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2026-40111Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2019-25224Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78

Affected Assets

amttgroup
hibos
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-supplied inputs like the ip parameter to block shell metacharacter injection in the server_ping.php endpoint.

prevent

Mandates timely flaw remediation, such as patching or replacing the vulnerable HiBOS code responsible for unescaped shell command construction.

prevent

Enforces authentication and authorization for sensitive endpoints like /manager/radius/server_ping.php to block unauthenticated remote exploitation.

References