CVE-2016-1543

HIGH

BMC BladeLogic Server Automation <8.8 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-1543. PoCs published by Metasploit, Paul Taylor, Olga Yanushkevich, ERNW <@yaole0>, Nicky Bloor (@NickstaDB) <[email protected]>, including Metasploit module exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.

AI-analyzed exploit summary This Metasploit module exploits a weak access control vulnerability in BMC Server Automation RSCD agent (CVE-2016-1543) to execute arbitrary commands without authentication. It supports multiple platforms (Windows, Linux, Unix) and includes auto-targeting based on platform detection.

Description

The RPC API in the RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and reset arbitrary user passwords by sending an action packet to xmlrpc after an authorization failure.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/43939

View Code ZIP pw:eip

This Metasploit module exploits a weak access control vulnerability in BMC Server Automation RSCD agent (CVE-2016-1543) to execute arbitrary commands without authentication. It supports multiple platforms (Windows, Linux, Unix) and includes auto-targeting based on platform detection.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BMC Server Automation RSCD Agent

No auth needed

Prerequisites: Network access to TCP port 4750 on the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Paul Taylor · pythonremotemultiple

https://www.exploit-db.com/exploits/43902

View Code ZIP pw:eip

This exploit leverages CVE-2016-1543 to achieve remote code execution on BMC BladeLogic RSCD agent via XMLRPC. It establishes a TLS connection and sends crafted XMLRPC requests to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BMC BladeLogic RSCD agent 8.3.00.64

No auth needed

Prerequisites: Network access to the target system · RSCD agent running on port 4750

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Olga Yanushkevich, ERNW <@yaole0>, Nicky Bloor (@NickstaDB) <[email protected]> · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a weak access control vulnerability in BMC Server Automation RSCD agent (CVE-2016-1543) to execute arbitrary commands without authentication. It supports multiple platforms (Windows, Linux/Unix) and includes auto-targeting based on agent info.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BMC Server Automation RSCD Agent

No auth needed

Prerequisites: Network access to RSCD agent (port 4750)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43902/

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43939/

Various Sources x_refsource_misc

https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/537910/100/0/threaded

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/136462/BMC-Server-Automation-BSA-RSCD-Agent-Unauthorized-Password-Reset.html

Patch, Vendor Advisory x_refsource_confirm

https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution

Scores

CVSS v3 7.5

EPSS 0.7303

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-284

Status published

Products (11)

bmc/bladelogic_server_automation_console 8.2.02

bmc/bladelogic_server_automation_console 8.2.03

bmc/bladelogic_server_automation_console 8.2.04

bmc/bladelogic_server_automation_console 8.3.00

bmc/bladelogic_server_automation_console 8.3.01

bmc/bladelogic_server_automation_console 8.3.02

bmc/bladelogic_server_automation_console 8.3.03

bmc/bladelogic_server_automation_console 8.5.00

bmc/bladelogic_server_automation_console 8.5.01

bmc/bladelogic_server_automation_console 8.6.00

... and 1 more

Published Jun 13, 2016

Tracked Since Feb 18, 2026