CVE-2016-1542

HIGH

BMC BladeLogic Server Automation <8.7 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2016-1542. PoCs published by Metasploit, Paul Taylor, bao7uo, including Metasploit module exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.

AI-analyzed exploit summary This Metasploit module exploits a weak access control vulnerability in BMC Server Automation RSCD agent (CVE-2016-1543) to execute arbitrary commands without authentication. It supports multiple platforms (Windows, Linux, Unix) and includes auto-targeting based on platform detection.

Description

The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/43939

This Metasploit module exploits a weak access control vulnerability in BMC Server Automation RSCD agent (CVE-2016-1543) to execute arbitrary commands without authentication. It supports multiple platforms (Windows, Linux, Unix) and includes auto-targeting based on platform detection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BMC Server Automation RSCD Agent
No auth needed
Prerequisites: Network access to TCP port 4750 on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Paul Taylor · pythonremotemultiple
https://www.exploit-db.com/exploits/43902

This exploit leverages CVE-2016-1543 to achieve remote code execution on BMC BladeLogic RSCD agent via XMLRPC. It establishes a TLS connection and sends crafted XMLRPC requests to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BMC BladeLogic RSCD agent 8.3.00.64
No auth needed
Prerequisites: Network access to the target system · RSCD agent running on port 4750
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 20 stars
by bao7uo · poc
https://github.com/bao7uo/bmc_bladelogic

This repository contains functional Python scripts that exploit CVE-2016-1542, an unauthorized password change vulnerability in BMC BladeLogic RSCD agent v8.6.01.66. The scripts demonstrate password changes and user enumeration via crafted XML-RPC requests over TLS.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: BMC BladeLogic RSCD agent v8.6.01.66
No auth needed
Prerequisites: Network access to the RSCD agent port (default: 4750) · TLS connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by patriknordlen · poc
https://github.com/patriknordlen/bladelogic_bmc-cve-2016-1542

This repository contains a functional exploit for CVE-2016-1542, targeting BMC BladeLogic RSCD agents. It includes a custom transport adapter to handle the TLSRPC protocol and XML-RPC commands to retrieve system users.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: BMC BladeLogic RSCD agent (checked for v8.6.01.66)
No auth needed
Prerequisites: Network access to the target system on port 4750
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Olga Yanushkevich, ERNW <@yaole0>, Nicky Bloor (@NickstaDB) <[email protected]> · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb

This Metasploit module exploits a weak access control vulnerability in BMC Server Automation RSCD agent (CVE-2016-1542, CVE-2016-1543) to execute arbitrary commands without authentication. It supports multiple platforms (Windows, Unix/Linux) and includes auto-target detection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BMC Server Automation RSCD Agent
No auth needed
Prerequisites: Network access to TCP port 4750 · Vulnerable BMC Server Automation RSCD agent
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43902/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43939/
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537909/100/0/threaded

Scores

CVSS v3 7.5
EPSS 0.7127
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-20
Status published
Products (11)
bmc/bladelogic_server_automation_console 8.2.02
bmc/bladelogic_server_automation_console 8.2.03
bmc/bladelogic_server_automation_console 8.2.04
bmc/bladelogic_server_automation_console 8.3.00
bmc/bladelogic_server_automation_console 8.3.01
bmc/bladelogic_server_automation_console 8.3.02
bmc/bladelogic_server_automation_console 8.3.03
bmc/bladelogic_server_automation_console 8.5.00
bmc/bladelogic_server_automation_console 8.5.01
bmc/bladelogic_server_automation_console 8.6.00
... and 1 more
Published Jun 13, 2016
Tracked Since Feb 18, 2026