CVE-2016-6564
CVE-2016-6564 is a high-severity vulnerability in Infinixauthority Hot X507 Firmware with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-264.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v2: 9.3
- EPSS exploit prediction: 3% (84th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-264
- Affected product: Infinixauthority Hot X507 Firmware
- Published:
- Last modified:
Description
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
Frequently asked questions
- What is CVE-2016-6564?
- Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
- How severe is CVE-2016-6564?
- CVE-2016-6564 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2016-6564 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (84th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2016-6564?
- CVE-2016-6564 primarily affects Infinixauthority Hot X507 Firmware. In total, 19 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2016-6564?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2016-6564 published?
- CVE-2016-6564 was published on 2018-07-13 and last updated on 2026-06-17.
References
- https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
- https://www.kb.cert.org/vuls/id/624539
- https://www.securityfocus.com/bid/94393/
Affected products (19)
- cpe:2.3:o:infinixauthority:hot_x507_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:infinixauthority:hot_2_x510_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:infinixauthority:zero_x506_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:infinixauthority:zero_2_x509_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_g_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_g_plus_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_6.0_hd_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_x_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_x_plus_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_c_hd_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:xolo:cube_5.0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:beeline:pro_2_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:iku-mobile:colorful_k45i_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_5_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_6_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_3i_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_2s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:alfa_6_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:doogee:voyager_2_dg310i_firmware:-:*:*:*:*:*:*:*
Other CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities
- CVE-2016-8363 — Critical (CVSS 10.0): An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232…
- CVE-2016-7457 — Critical (CVSS 10.0): VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt…
- CVE-2015-7425 — Critical (CVSS 10.0): The Data Protection component in the VMware vSphere GUI in IBM Tivoli Storage Manager for Virtual Environments: Data…
- CVE-2015-8267 — Critical (CVSS 10.0): The PasswordReset.Controllers.ResetController.ChangePasswordIndex method in PasswordReset.dll in Dovestones AD Self…
- CVE-2015-7919 — Critical (CVSS 10.0): SearchBlox 8.3 before 8.3.1 allows remote attackers to write to the config file, and consequently cause a denial of…
- CVE-2015-7071 — Critical (CVSS 10.0): The File Bookmark component in Apple OS X before 10.11.2 allows attackers to bypass a sandbox protection mechanism for…
Browse all CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities →