CVE-2016-4437
CVE-2016-4437 is a critical-severity vulnerability in Redhat Fuse with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-321.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 93% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2022-4711
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-321
- Affected product: Redhat Fuse
- Published:
- Last modified:
Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Frequently asked questions
- What is CVE-2016-4437?
- Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
- How severe is CVE-2016-4437?
- CVE-2016-4437 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2016-4437 being actively exploited?
- Yes. CVE-2016-4437 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2016-4437?
- CVE-2016-4437 primarily affects Redhat Fuse. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2016-4437?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2016-4437 have an EU (EUVD) identifier?
- Yes. CVE-2016-4437 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-4711. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2016-4437 published?
- CVE-2016-4437 was published on 2016-06-07 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
- http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.securityfocus.com/archive/1/538570/100/0/threaded
- http://www.securityfocus.com/bid/91024
- https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437
Affected products (4)
- cpe:2.3:a:apache:aurora:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
More vulnerabilities in Redhat Fuse
- CVE-2018-1270 — Critical (CVSS 9.8): Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow…
- CVE-2017-5645 — Critical (CVSS 9.8): In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log…
- CVE-2015-1427 — Critical (CVSS 9.8): The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the…
- CVE-2025-12543 — Critical (CVSS 9.6): A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications.…
- CVE-2019-10174 — High (CVSS 8.8): A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil…
- CVE-2018-1258 — High (CVSS 8.8): Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization…
All CVEs affecting Redhat Fuse →
Other CWE-321 vulnerabilities
- CVE-2024-30207 — Critical (CVSS 10.0): A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC…
- CVE-2014-5419 — Critical (CVSS 10.0): GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000,…
- CVE-2024-35344 — Critical (CVSS 9.9): Certain Anpviz products contain a hardcoded cryptographic key stored in the firmware of the device. This affects…
- CVE-2026-28742 — Critical (CVSS 9.8): Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every…
- CVE-2026-32644 — Critical (CVSS 9.8): Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.
- CVE-2025-67112 — Critical (CVSS 9.8): Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W…