Zero-day vulnerability in Cisco ASA Series

SNMP remote code execution

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed ExtraBacon and presumably used by NSA operatives to infiltrate networks of government organizations and private companies.

Known malware:


Vulnerability details

Advisory: SB2016081803 - Remote code execution in Cisco ASA Appliances

Vulnerable component: Cisco ASA Series

CVE-ID: CVE-2016-6366

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when handling SNMP packets. A remote attacker with knowledge of SNMP community string can cause buffer overflow and cause the target device to reload or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in full compromise of affected system.

The following models of CISCO ASA appliances are affected:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EXTRABACON Exploit.

Public Exploits:

Latest references in media:

- Cisco Patches Critical Code Execution Flaw in Security Appliances [2018-01-30 10:30:08]

- US-CERT тАУ Warning, Shadow Brokers Hackers are offering an SMB Zero-Day exploit [2017-01-20 09:12:16]

- Cisco finds new Zero-Day Exploit linked to The Shadow Brokers NSA Hackers [2016-09-20 10:00:09]

- CVE-2016-6415 тАУ CISCO confirms a new Zero-Day linked to Equation Group hack [2016-09-19 10:18:43]

- Cisco Finds New Zero-Day Linked to "Shadow Brokers" Exploit [2016-09-19 09:18:23]

- Many Cisco Devices Still Vulnerable to NSA-Linked Exploit [2016-09-07 15:28:06]

- NSA EXTRABACON exploit still threatens tens of thousands of CISCO ASA boxes [2016-09-05 15:58:17]

- Want Fries With Your EXTRABACON or EPICBANANA? Cisco Addresses Two New Vulnerabilities [2016-08-31 14:37:43]

- Cisco starts publishing fixes for EXTRABACON exploit [2016-08-29 10:13:41]

- Cisco, Fortinet and Snowden Docs Confirm that Leaked Exploits are Legit and Belong to NSA [2016-08-26 20:10:04]

- Industry Reactions to Shadow Brokers Leak: Feedback Friday [2016-08-26 18:59:12]

- Cisco Updates ASA Software to fix the Equation GroupтАЩs EXTRABACON exploit [2016-08-25 17:56:24]

- Cisco Updates ASA Software to Address NSA-Linked Exploit [2016-08-25 16:25:43]

- Cisco Begins Patching Equation Group ASA Zero Day [2016-08-24 23:59:45]

- Leaked ShadowBrokers Attack Upgraded to Target Current Versions of Cisco ASA [2016-08-24 19:16:21]

- Leaked EXTRABACON exploit can work on newer Cisco ASA firewalls [2016-08-24 12:44:57]

- Leaked Cisco ASA Exploit Adapted for Newer Versions [2016-08-24 12:13:04]

- Juniper Confirms Leaked Implants Target Its Products [2016-08-23 11:20:50]

- Cisco, Fortinet and Snowden Docs Confirm that Leaked Exploits are Legit and Belong to NSA [2016-08-20 11:34:02]

- Cisco, Fortinet validate exploits leaked by the Shadow Brokers [2016-08-18 12:07:49]

- Firewall Vendors Analyze Exploits Leaked by "Shadow Brokers" [2016-08-18 09:51:43]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.