CVE-2016-9091

HIGH

Blue Coat ASG <6.6.5.4 & CAS <1.3.7.4 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-9091. PoCs published by Chris Hebert.

AI-analyzed exploit summary This Metasploit module exploits an authenticated OS command injection vulnerability in BlueCoat CAS/ASG via the Report Email functionality. It allows execution of arbitrary commands with tomcat privileges by injecting payloads into the report URL parameter.

Description

Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Chris Hebert · rubyremotelinux
https://www.exploit-db.com/exploits/41785

This Metasploit module exploits an authenticated OS command injection vulnerability in BlueCoat CAS/ASG via the Report Email functionality. It allows execution of arbitrary commands with tomcat privileges by injecting payloads into the report URL parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BlueCoat CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4
Auth required
Prerequisites: Valid administrator credentials · Network access to target · SSL enabled on port 8082
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Chris Hebert · rubylocallinux
https://www.exploit-db.com/exploits/41786

This Metasploit module exploits a privilege escalation vulnerability in BlueCoat CAS/ASG by abusing sudo access to the mvtroubleshooting.sh script, allowing a tomcat user to escalate to root. It replaces the nscd init script with a malicious payload and executes it via flush_dns.sh.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: BlueCoat CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4
Auth required
Prerequisites: Access to a tomcat session with sudo privileges · Target running vulnerable BlueCoat version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97372
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41785/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41786/
Mitigation, Vendor Advisory x_refsource_confirm
https://bto.bluecoat.com/security-advisory/sa138

Scores

CVSS v3 7.2
EPSS 0.1013
EPSS Percentile 95.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (4)
bluecoat/advanced_secure_gateway < 6.6.5.2
bluecoat/content_analysis_system_software < 1.3.7.3
Symantec Corporation/Blue Coat ASG 6.6 prior to 6.6.5.4
Symantec Corporation/Blue Coat CAS 1.3 prior to 1.3.7.4
Published Apr 05, 2017
Tracked Since Feb 18, 2026