CVE-2016-15048 – This is an unauthenticated remote command injec... (How to Fix)

Q: What is the severity of CVE-2016-15048?

CVE-2016-15048 has a CVSS score of 9.8 (CRITICAL). This is an unauthenticated remote command injection vulnerability in AMTT Hotel Broadband Operation System (HiBOS). Attackers can execute arbitrary system commands as the web server user by sending specially crafted requests to the /manager/radius/server_ping.php endpoint. Any system running vulnerable HiBOS software is affected, and exploitation has been observed in the wild.

📋 TL;DR

This is an unauthenticated remote command injection vulnerability in AMTT Hotel Broadband Operation System (HiBOS). Attackers can execute arbitrary system commands as the web server user by sending specially crafted requests to the /manager/radius/server_ping.php endpoint. Any system running vulnerable HiBOS software is affected, and exploitation has been observed in the wild.

💻 Affected Systems

Products:

AMTT Hotel Broadband Operation System (HiBOS)
Potentially rebranded versions under different names

Versions: Specific versions unknown, but all versions with the vulnerable endpoint are affected

Operating Systems: Likely Linux-based systems running the HiBOS software

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of the /manager/radius/server_ping.php endpoint. The product may have been rebranded under different names.

📦 What is this software?

Hibos by Amttgroup

View all CVEs affecting Hibos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to install malware, pivot to other systems, steal sensitive data, or disrupt hotel operations.

🟠

Likely Case

Installation of cryptocurrency miners, backdoors, or ransomware leading to system downtime and data theft.

🟢

If Mitigated

Limited impact if network segmentation prevents lateral movement and command execution is restricted via security controls.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and exploitable remotely via HTTP requests.

🏢 Internal Only: HIGH - Even internally, the vulnerability requires no authentication and allows command execution.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

VulnCheck confirmed exploitation in the wild as of October 2025. Public proof-of-concept code exists in Nuclei templates and third-party disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.amttgroup.com/

Restart Required: No

Instructions:

Contact AMTT Group for remediation guidance as recommended in the original disclosure. No official patch information is publicly available.

🔧 Temporary Workarounds

Block Access to Vulnerable Endpoint

all

Use web application firewall or reverse proxy to block all access to /manager/radius/server_ping.php

# Apache: RewriteRule ^/manager/radius/server_ping\.php$ - [F]
# Nginx: location ~ ^/manager/radius/server_ping\.php$ { deny all; }

Input Validation via Web Server

linux

Implement input validation at the web server level to reject requests containing shell metacharacters in the ip parameter

# ModSecurity rule: SecRule ARGS:ip "[;|&`$()]" "deny,status:403,id:1001"

🧯 If You Can't Patch

Isolate the HiBOS system in a dedicated network segment with strict firewall rules limiting inbound/outbound connections
Implement network-based intrusion detection to monitor for exploitation attempts and command execution patterns

🔍 How to Verify

Check if Vulnerable:

Test if the endpoint /manager/radius/server_ping.php exists and accepts the ip parameter. Attempt to inject a harmless command like 'ip=127.0.0.1;echo+test' and check for command execution.

Check Version:

Check HiBOS version through admin interface or contact vendor. No standard command available.

Verify Fix Applied:

Verify that requests to /manager/radius/server_ping.php are blocked or properly sanitize input containing shell metacharacters.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /manager/radius/server_ping.php with shell metacharacters in parameters
Web server logs showing command execution patterns in URL parameters
Unusual process execution from web server user account

Network Indicators:

HTTP POST/GET requests containing shell metacharacters (;, |, &, `, $, (, )) in the ip parameter
Outbound connections from HiBOS server to suspicious IPs following exploitation

SIEM Query:

web.url:*server_ping.php AND (web.param.ip:*;* OR web.param.ip:*|* OR web.param.ip:*&* OR web.param.ip:*`* OR web.param.ip:*$* OR web.param.ip:*(* OR web.param.ip:*)*)

📊 Metadata

CVE ID: CVE-2016-15048

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.74% exploit probability (72.5th percentile)

Published: October 22, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/adysec/nuclei_poc/blob/49c283b2bbb244c071786a2b768fbdde1b91f38e/poc/remote_code_execution/hiboss-rce_2.yaml#L21 Product
https://wooyun.laolisafe.com/bug_detail.php?wybug_id=wooyun-2016-0181444 Issue Tracking,Exploit,Third Party Advisory
https://www.amttgroup.com/ Product
https://www.cnvd.org.cn/flaw/show/CNVD-2021-37784 Issue Tracking
https://www.vulncheck.com/advisories/amtt-hibos-command-injection-rce-via-server-ping-php Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-15048, you might also want to check these: