Cyber Resilience

CVE-2016-6367

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 18 August 2016

Published
18 August 2016
Modified
22 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1876 95.4th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-6367 is a high-severity Command Injection (CWE-77) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-6367 is a command injection vulnerability (CWE-77) in Cisco Adaptive Security Appliance (ASA) Software versions prior to 8.4(1) running on ASA 5500, ASA 5500-X, PIX, and FWSM devices. The flaw, tracked as Bug ID CSCtu74257 and also known as EPICBANANA, permits local users to escalate privileges by submitting specially crafted invalid CLI commands.

A local attacker with low-privileged CLI access can exploit the issue without user interaction to obtain elevated privileges, resulting in full control over confidentiality, integrity, and availability of the affected device. The CVSS 3.1 base score of 7.8 reflects the high impact combined with local attack vector and low attack complexity.

Cisco's security advisory cisco-sa-20160817-asa-cli and related notices direct administrators to upgrade to fixed releases and reference additional context from the Shadow Brokers disclosures. The vulnerability was publicly associated with the 2016 Shadow Brokers leak of NSA-linked exploit tools.

EU & UK References

Vulnerability details

Cisco Adaptive Security Appliance (ASA) Software before 8.4(1) on ASA 5500, ASA 5500-X, PIX, and FWSM devices allows local users to gain privileges via invalid CLI commands, aka Bug ID CSCtu74257 or EPICBANANA.

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
adaptive security appliance software
7.2.0 — 8.4\(3\) · 8.5 — 9.0\(1\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the invalid CLI command injection (CWE-77) that EPICBANANA uses to bypass privilege checks.

prevent

Requires prompt patching of ASA software to the fixed release that eliminates the CSCtu74257 flaw.

prevent

Limits initial CLI privileges so a successful exploit yields less device control than an unrestricted account.

References