CVE-2016-1287

CRITICAL

Cisco Adaptive Security Appliance Software - Remote Code Execution via IKEv1/IKEv2 UDP Packet Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2016-1287. PoCs published by Exodus Intelligence, NetSPI, jgajek.

AI-analyzed exploit summary This exploit targets CVE-2016-1287, a buffer overflow vulnerability in Cisco ASA devices. It includes shellcode for spawning a reverse Cisco CLI or a reverse shell, leveraging a crafted UDP packet to trigger the vulnerability.

Description

Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Exodus Intelligence · pythonremotehardware
https://www.exploit-db.com/exploits/39823

This exploit targets CVE-2016-1287, a buffer overflow vulnerability in Cisco ASA devices. It includes shellcode for spawning a reverse Cisco CLI or a reverse shell, leveraging a crafted UDP packet to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco ASA Software (multiple versions)
No auth needed
Prerequisites: Network access to the target device · UDP port 500 (IKE) accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 33 stars
by NetSPI · poc
https://github.com/NetSPI/asa_tools

This repository contains a functional Python script to verify CVE-2016-1287, a remote code execution vulnerability in Cisco ASA devices. The script crafts malicious IKE packets to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco ASA (multiple versions)
No auth needed
Prerequisites: Network access to the target Cisco ASA device
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 16 stars
by jgajek · poc
https://github.com/jgajek/killasa

This repository contains a functional Python script that exploits CVE-2016-1287, a vulnerability in Cisco ASA devices involving invalid IKE fragment lengths. The script uses Scapy to craft and send malformed IKEv2 packets, specifically fragments with invalid lengths, to trigger the vulnerability.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Cisco ASA (multiple versions)
No auth needed
Prerequisites: Network access to the target Cisco ASA device · IKEv2 service enabled on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by 0x1 · poc
https://gitlab.com/0x1/asa_tools

The repository contains a Python script that crafts malicious IKE packets to exploit CVE-2016-1287, a remote code execution vulnerability in Cisco ASA devices. The script constructs and sends specially formatted IKE packets to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco ASA (multiple versions)
No auth needed
Prerequisites: Network access to the target Cisco ASA device · Python 3 with the hexdump module
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034997
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://blog.exodusintel.com/2016/02/10/firewall-hacking/
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/327976
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39823/

Scores

CVSS v3 9.8
EPSS 0.7746
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (50)
cisco/adaptive_security_appliance_software 7.2.1
cisco/adaptive_security_appliance_software 7.2.1.9
cisco/adaptive_security_appliance_software 7.2.1.13
cisco/adaptive_security_appliance_software 7.2.1.19
cisco/adaptive_security_appliance_software 7.2.1.24
cisco/adaptive_security_appliance_software 7.2.2
cisco/adaptive_security_appliance_software 7.2.2.6
cisco/adaptive_security_appliance_software 7.2.2.10
cisco/adaptive_security_appliance_software 7.2.2.14
cisco/adaptive_security_appliance_software 7.2.2.18
... and 40 more
Published Feb 11, 2016
Tracked Since Feb 18, 2026