CVE-2016-15048
Published: 22 October 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2016-15048 is an unauthenticated command injection vulnerability in the AMTT Hotel Broadband Operation System (HiBOS), affecting the /manager/radius/server_ping.php endpoint. The application constructs a shell command using a user-supplied ip parameter and executes it without proper validation or escaping, allowing attackers to inject shell metacharacters. This flaw, associated with CWE-78, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted request with malicious input in the ip parameter, enabling arbitrary system command execution as the web server user. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.
Advisories, including the initial 2016 third-party disclosure and VulnCheck's analysis, recommend contacting the vendor for remediation guidance, as no specific patches are detailed. The product may have been rebranded under a different name. Relevant resources include the VulnCheck advisory at https://www.vulncheck.com/advisories/amtt-hibos-command-injection-rce-via-server-ping-php and a Nuclei proof-of-concept at https://github.com/adysec/nuclei_poc/blob/49c283b2bbb244c071786a2b768fbdde1b91f38e/poc/remote_code_execution/hiboss-rce_2.yaml#L21.
VulnCheck observed active exploitation in the wild as of 2025-10-14 at 04:45:53.510819 UTC.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated command injection in a public-facing web endpoint (/manager/radius/server_ping.php) enables remote exploitation (T1190) and arbitrary shell command execution (T1059.004).