Description

A client-side remote code execution vulnerability exists in Hanwha Techwin Smart Security Manager (SSM) versions 1.32 and 1.4, due to improper restrictions on the PUT method exposed by the bundled Apache ActiveMQ instance (running on port 8161). An attacker can exploit this flaw through a Cross-Origin Resource Sharing (CORS) bypass combined with JavaScript-triggered file uploads to the web server, ultimately resulting in arbitrary code execution with SYSTEM privileges. This vulnerability bypasses the server-side mitigations introduced in ZDI-15-156 and ZDI-16-481 by shifting the exploitation to the client-side. This product is now referred to as Hanwha Wisenet SSM and it is unknown if current versions are affected.

INFO

Published Date :

2025-07-25T15:53:44.379Z

Last Modified :

2025-11-21T14:07:12.496Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2016-15046 vulnerability.

Vendors Products
Hanwha-security
  • Smart Security Manager
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2016-15046.

URL Resource
http://www.zerodayinitiative.com/advisories/ZDI-15-156/ cve-icon cve-icon
http://www.zerodayinitiative.com/advisories/ZDI-16-481/ cve-icon cve-icon
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/samsung_security_manager_put.rb cve-icon cve-icon cve-icon
https://srcincite.io/advisories/src-2016-0032/ cve-icon cve-icon
https://web.archive.org/web/20160518205411/http://security.hanwhatechwin.com/product/product_view.asp?idx=6779#FL080000 cve-icon cve-icon
https://www.vulncheck.com/advisories/samsung-security-manager-activemq-file-upload-rce cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability