CVE-2016-2203

HIGH

Symantec Messaging Gateway < 10.6.1 - Local Encrypted AD Password Exposure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-2203. PoCs published by Fakhir Karim Reda, including Metasploit module auxiliary/scanner/http/symantec_brightmail_ldapcreds.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-2203 to extract and decrypt LDAP credentials from Symantec Brightmail Gateway by leveraging authenticated access to retrieve encrypted passwords and decrypting them using a hardcoded PBE key.

Description

The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges.

Exploits (2)

exploitdb WORKING POC

by Fakhir Karim Reda · rubywebappsjava

https://www.exploit-db.com/exploits/39715

View Code ZIP pw:eip

This Metasploit module exploits CVE-2016-2203 to extract and decrypt LDAP credentials from Symantec Brightmail Gateway by leveraging authenticated access to retrieve encrypted passwords and decrypting them using a hardcoded PBE key.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Symantec Brightmail Gateway 10.6.0-7 and earlier

Auth required

Prerequisites: Valid credentials for the Symantec Brightmail Gateway web interface · Network access to the target system

MITRE ATT&CK

T1552.001 - Credentials In Files T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in Symantec Messaging Gateway to extract stored Active Directory credentials by decrypting them using a disclosed PBE key. It requires authentication and interacts with the web interface to retrieve and decrypt the credentials.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Symantec Messaging Gateway 10.6.0-7 and earlier

Auth required

Prerequisites: Valid credentials for Symantec Messaging Gateway · Network access to the target system

MITRE ATT&CK

T1552 - Unsecured Credentials T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Vendor Advisory x_refsource_confirm

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/136758/Symantec-Brightmail-10.6.0-7-LDAP-Credential-Grabber.html

Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/86137

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035609

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39715/

Scores

CVSS v3 7.8

EPSS 0.0706

EPSS Percentile 93.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-255

Status published

Products (1)

symantec/messaging_gateway 10.6.0 patch3 (3 CPE variants)

Published Apr 22, 2016

Tracked Since Feb 18, 2026