CVE-2016-6433

HIGH

Cisco Firepower Mgmt Cntr <6.0.1 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-6433. PoCs published by Metasploit, KoreLogic, Matt, sinn3r, including Metasploit module exploits/linux/http/cisco_firepower_useradd.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-6433, a post-authentication vulnerability in Cisco Firepower Management Console 6.0.1, allowing the creation of a backdoor SSH account via improper useradd binary execution. It authenticates, creates a malicious user, and leverages SSH for command execution.

Description

The Threat Management Console in Cisco Firepower Management Center 5.2.0 through 6.0.1 allows remote authenticated users to execute arbitrary commands via crafted web-application parameters, aka Bug ID CSCva30872.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/41041

This Metasploit module exploits CVE-2016-6433, a post-authentication vulnerability in Cisco Firepower Management Console 6.0.1, allowing the creation of a backdoor SSH account via improper useradd binary execution. It authenticates, creates a malicious user, and leverages SSH for command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Firepower Management Console 6.0.1 (build 1213)
Auth required
Prerequisites: Valid credentials for Cisco Firepower Management Console · Network access to target · SSH service accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by KoreLogic · textwebappscgi
https://www.exploit-db.com/exploits/40463

This exploit demonstrates an authenticated remote command execution vulnerability in Cisco Firepower Threat Management Console. It leverages an unrestricted file upload to execute arbitrary commands as the www user, which can then escalate to root via sudo privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Firepower Threat Management Console (Cisco Fire Linux OS 6.0.1, build 37/build 1213)
Auth required
Prerequisites: Valid session and CSRF token · Authenticated access to the web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Matt, sinn3r · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cisco_firepower_useradd.rb

This Metasploit module exploits a post-authentication vulnerability in Cisco Firepower Management Console 6.0.1 to create a backdoor SSH account via the useradd binary. It leverages a configuration flaw allowing the www user to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Firepower Management Console 6.0.1 (build 1213)
Auth required
Prerequisites: Valid credentials for the Cisco Firepower Management Console · SSH access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93414
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40463/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41041/

Scores

CVSS v3 8.8
EPSS 0.7575
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (20)
cisco/secure_firewall_management_center 5.2.0
cisco/secure_firewall_management_center 5.3.0
cisco/secure_firewall_management_center 5.3.0.2
cisco/secure_firewall_management_center 5.3.0.3
cisco/secure_firewall_management_center 5.3.0.4
cisco/secure_firewall_management_center 5.3.1
cisco/secure_firewall_management_center 5.3.1.3
cisco/secure_firewall_management_center 5.3.1.4
cisco/secure_firewall_management_center 5.3.1.5
cisco/secure_firewall_management_center 5.3.1.6
... and 10 more
Published Oct 06, 2016
Tracked Since Feb 18, 2026