CVE-2016-15048

Name of the Vulnerable Software and Affected Versions AMTT Hotel Broadband Operation System (HiBOS) (affected versions not specified)

Description The software contains an unauthenticated command injection issue in the /manager/radius/server ping.php endpoint. The application builds a shell command using the ip parameter provided by the user and executes it without sufficient validation or sanitization. This allows an attacker to inject shell metacharacters into the ip parameter, enabling the execution of arbitrary system commands with the privileges of the web server user. As of 2025-10-14 at 04:45:53.510819 UTC, this issue has been observed being exploited in real-world attacks. The product may have been rebranded under a different name.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.