CVE-2016-2296

CRITICAL

Meteocontrol Web'log Basic 100 - Security Feature Bypass

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-2296. PoCs published by Karn Ganeshen, including Metasploit module auxiliary/scanner/http/meteocontrol_weblog_extractadmin.

AI-analyzed exploit summary This Metasploit auxiliary module exploits an authentication bypass vulnerability in Meteocontrol WEB'log to extract the Administrator password by accessing a specific configuration page. It verifies the target application and retrieves the password from the HTML response.

Description

Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.

Exploits (2)

exploitdb WORKING POC
by Karn Ganeshen · rubywebappsmultiple
https://www.exploit-db.com/exploits/39822

This Metasploit auxiliary module exploits an authentication bypass vulnerability in Meteocontrol WEB'log to extract the Administrator password by accessing a specific configuration page. It verifies the target application and retrieves the password from the HTML response.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Meteocontrol WEB'log (all versions)
No auth needed
Prerequisites: Network access to the target device on port 8080 (or configured port)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb

This Metasploit module exploits an authentication bypass vulnerability in Meteocontrol WEBlog appliances to extract the Administrator password from the device management portal. It sends a GET request to a specific endpoint to retrieve the password embedded in the HTML response.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Meteocontrol WEBlog (software version < May 2016 release)
No auth needed
Prerequisites: Network access to the target device on port 8080 (or another configured port)
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (3)

Core 3
Core References
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/May/52
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39822/
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01

Scores

CVSS v3 9.4
EPSS 0.7531
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Details

CWE
CWE-254
Status published
Products (4)
meteocontrol/web\'log_basic_100
meteocontrol/web\'log_light
meteocontrol/web\'log_pro
meteocontrol/web\'log_pro_unlimited
Published May 14, 2016
Tracked Since Feb 18, 2026