CVE-2016-15048
Published: 22 October 2025
Summary
CVE-2016-15048 is a critical-severity OS Command Injection (CWE-78) vulnerability in Amttgroup Hibos. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied inputs like the ip parameter to block shell metacharacter injection in the server_ping.php endpoint.
Mandates timely flaw remediation, such as patching or replacing the vulnerable HiBOS code responsible for unescaped shell command construction.
Enforces authentication and authorization for sensitive endpoints like /manager/radius/server_ping.php to block unauthenticated remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in a public-facing web endpoint (/manager/radius/server_ping.php) enables remote exploitation (T1190) and arbitrary shell command execution (T1059.004).
NVD Description
AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert…
more
shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC.
Deeper analysisAI
CVE-2016-15048 is an unauthenticated command injection vulnerability in the AMTT Hotel Broadband Operation System (HiBOS), affecting the /manager/radius/server_ping.php endpoint. The application constructs a shell command using a user-supplied ip parameter and executes it without proper validation or escaping, allowing attackers to inject shell metacharacters. This flaw, associated with CWE-78, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted request with malicious input in the ip parameter, enabling arbitrary system command execution as the web server user. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.
Advisories, including the initial 2016 third-party disclosure and VulnCheck's analysis, recommend contacting the vendor for remediation guidance, as no specific patches are detailed. The product may have been rebranded under a different name. Relevant resources include the VulnCheck advisory at https://www.vulncheck.com/advisories/amtt-hibos-command-injection-rce-via-server-ping-php and a Nuclei proof-of-concept at https://github.com/adysec/nuclei_poc/blob/49c283b2bbb244c071786a2b768fbdde1b91f38e/poc/remote_code_execution/hiboss-rce_2.yaml#L21.
VulnCheck observed active exploitation in the wild as of 2025-10-14 at 04:45:53.510819 UTC.
Details
- CWE(s)