CVE-2016-6366

Name: CVE-2016-6366
Creator: NVD / NIST
Published: 2016-08-18T18:59:00.117+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10Actively ExploitedEPSS 87.50%

Last modified Jun 17, 2026

CVE-2016-6366 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X, ASA Services Module, ASA 1000V, ASAv, Firepower 9300 ASA Security Module, PIX, and FWSM devices allows remote authenticated users to execute arbitrary code via crafted IPv4 SNMP packets, aka Bug ID CSCva92151 or EXTRABACON.. CISA has confirmed active exploitation in the wild. EPSS estimates a 87.50% chance of exploitation in the next 30 days.

Description

Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X, ASA Services Module, ASA 1000V, ASAv, Firepower 9300 ASA Security Module, PIX, and FWSM devices allows remote authenticated users to execute arbitrary code via crafted IPv4 SNMP packets, aka Bug ID CSCva92151 or EXTRABACON.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

87.50%

99.7th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Jun 14, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Cisco	Pix Firewall Software	All versions
Cisco	Adaptive Security Appliance Software	>= 7.2.1, < 9.0.4.40
Cisco	Adaptive Security Appliance Software	>= 9.1.1, < 9.1.7\(9\)
Cisco	Adaptive Security Appliance Software	>= 9.2.0, < 9.2.4\(14\)
Cisco	Adaptive Security Appliance Software	>= 9.3.0, < 9.3.3\(10\)
Cisco	Adaptive Security Appliance Software	>= 9.4.0.115, < 9.4.3\(8\)
Cisco	Adaptive Security Appliance Software	>= 9.5.0, <= 9.5\(3\)
Cisco	Adaptive Security Appliance Software	>= 9.6.0, < 9.6.1\(11\)
Cisco	Asa 1000v Cloud Firewall Software	8.7.1
Cisco	Asa 1000v Cloud Firewall Software	8.7.1.1

References

http://blogs.cisco.com/security/shadow-brokersExploit, Press/Media Coverage, Vendor Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmpVendor Advisory
http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516Vendor Advisory
http://www.securityfocus.com/bid/92521Broken Link, Not Applicable, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036637Broken Link, Third Party Advisory, VDB Entry
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40258.zipBroken Link, Exploit
https://www.exploit-db.com/exploits/40258/Third Party Advisory, VDB Entry
https://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.htmlExploit, Technical Description
http://blogs.cisco.com/security/shadow-brokersExploit, Press/Media Coverage, Vendor Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmpVendor Advisory
http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516Vendor Advisory
http://www.securityfocus.com/bid/92521Broken Link, Not Applicable, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036637Broken Link, Third Party Advisory, VDB Entry
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40258.zipBroken Link, Exploit
https://www.exploit-db.com/exploits/40258/Third Party Advisory, VDB Entry
https://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.htmlExploit, Technical Description
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6366US Government Resource

Timeline

Published: Aug 18, 2016
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2016-6366?

How severe is CVE-2016-6366?

CVE-2016-6366 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 87.50% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2016-6366?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-6366?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST