Cyber Resilience

CVE-2016-4437

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 June 2016

Published
07 June 2016
Modified
22 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9425 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-4437 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Apache Aurora. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

Apache Shiro versions prior to 1.2.5 are affected by a vulnerability in the "remember me" feature that activates when no cipher key has been explicitly configured. The flaw, tracked under CVE-2016-4437 with a CVSS score of 9.8, permits remote attackers to supply an unspecified request parameter that leads to arbitrary code execution or bypass of access controls. The issue is also associated with CWE-321 regarding use of hard-coded cryptographic keys.

Unauthenticated remote attackers can target any Shiro-based application that relies on the remember-me functionality without a custom key, achieving full compromise of the affected system or unauthorized access to protected resources. Public exploit code demonstrating both information disclosure and remote code execution against version 1.2.4 has been published.

Red Hat addressed the vulnerability through errata RHSA-2016-2035 and RHSA-2016-2036, while additional technical details and proof-of-concept material appear in PacketStorm and SecurityFocus archives.

EU & UK References

Vulnerability details

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
aurora
0.10.0 — 0.18.1
apache
shiro
≤ 1.2.5
redhat
fuse
1.0
redhat
jboss middleware text-only advisories
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper cryptographic key establishment and management, preventing use of hard-coded or absent cipher keys in Shiro's remember-me feature.

prevent

Enforces access control decisions so that an unauthenticated attacker cannot bypass restrictions or execute arbitrary code via a forged remember-me parameter.

prevent

Requires secure management of authenticators, including the cryptographic material protecting persistent remember-me tokens.

References