How to Fix CVE-2016-6366: Buffer Overflow in Cisco Adaptive Security Appliance (ASA)

By Sai Kiran Pandrala

Actively exploited. Listed in the CISA Known Exploited Vulnerabilities catalog since 2022-05-24; federal civilian agencies must remediate by 2022-06-14. Patch on an emergency cycle if the system is internet-exposed.

What is CVE-2016-6366?

Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X, ASA Services Module, ASA 1000V, ASAv, Firepower 9300 ASA Security Module, PIX, and FWSM devices allows remote authenticated users to execute arbitrary code via crafted IPv4 SNMP packets, aka Bug ID CSCva92151 or EXTRABACON.

A successful exploit can crash the process or, when chained, allow code execution by the remote attacker. The fix is to install the patched build of Cisco Adaptive Security Appliance (ASA) listed in the table above, then confirm the running version after the upgrade.

Am I affected?

Check your installed version of Cisco Adaptive Security Appliance (ASA) against the Affected row above. If the build sits inside any of those ranges, treat the host as vulnerable until patched.

Read the version the same way you would for any maintenance task: the management console About page, the CLI version command, or the package manager record for the installed binary. The vendor advisory linked in the references is the authoritative source for the affected-build matrix.

How to fix CVE-2016-6366

The remediation is the patched build of Cisco Adaptive Security Appliance (ASA). The blocks below give you runnable commands for the platforms that ship this product, plus a full PowerShell and Bash script you can drop into your patch automation.

Cisco IOS / IOS XE / NX-OS (console)

enable
show version
copy running-config startup-config
copy tftp://10.0.0.5/patched-image.bin flash:
verify /md5 flash:patched-image.bin
boot system flash:patched-image.bin
reload

Cisco IOS XR / FXOS (install commit)

install add source tftp://10.0.0.5 patched-image.iso
install activate patched-image.iso
install commit
show install active

Cisco ASA / FTD

ciscoasa# copy ftp://user@host/asa-patched.bin disk0:
ciscoasa# boot system disk0:/asa-patched.bin
ciscoasa# write memory
ciscoasa# reload

Full PowerShell remediation script (detect, back up, patch, verify, log)

<#
.SYNOPSIS  Remediates CVE-2016-6366 on Windows hosts.
.DESCRIPTION
  Detects current version of Adaptive Security Appliance (ASA), takes a config backup, applies the patched build
  (the patched build), confirms the upgrade, and writes a transcript to %ProgramData%\Patching.
#>
$ErrorActionPreference = 'Stop'
$logDir = "$env:ProgramData\Patching"
New-Item -ItemType Directory -Force -Path $logDir | Out-Null
Start-Transcript -Path "$logDir\CVE-2016-6366-$(Get-Date -Format yyyyMMdd-HHmmss).log"

try {
    Write-Host '[1/5] Detecting current version'
    $svc = Get-Service | Where-Object { $_.DisplayName -match 'Adaptive' } | Select-Object -First 1
    if ($svc) { Write-Host "  Service: $($svc.Name) state=$($svc.Status)" }

    Write-Host '[2/5] Backup config directory if present'
    $cfg = "$env:ProgramFiles\Adaptive"
    if (Test-Path $cfg) {
        $bak = "$logDir\CVE-2016-6366-backup-$(Get-Date -Format yyyyMMdd-HHmmss).zip"
        Compress-Archive -Path $cfg -DestinationPath $bak -Force
        Write-Host "  Backup -> $bak"
    }

    Write-Host '[3/5] Apply patch'
    try {
        winget upgrade --id <vendor.Adaptive> --accept-source-agreements --accept-package-agreements --silent
    } catch {
        Write-Warning "winget upgrade failed: $_  -- falling back to MSU/MSI installer"
        Start-Process msiexec.exe -ArgumentList '/i "C:\Temp\patched.msi" /qn /norestart' -Wait
    }

    Write-Host '[4/5] Verify version'
    Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5
    # Adapt the next line to your product's version file:
    Get-ChildItem "$env:ProgramFiles\Adaptive" -Recurse -Filter *.exe -ErrorAction SilentlyContinue |
        Select-Object -First 1 | ForEach-Object { $_.VersionInfo.FileVersion }

    Write-Host '[5/5] Restart service if needed'
    if ($svc) { Restart-Service $svc.Name }
    Write-Host "CVE-2016-6366 remediation complete"
} catch {
    Write-Error "CVE-2016-6366 remediation FAILED: $_"
    exit 1
} finally {
    Stop-Transcript
}

Full Bash remediation script (detect, back up, patch, verify, log)

#!/usr/bin/env bash
# remediate-cve-2016-6366.sh — detect, back up, patch, verify.
set -euo pipefail
LOG="/var/log/patching"
mkdir -p "$LOG"
STAMP="$(date +%Y%m%d-%H%M%S)"
LOGFILE="$LOG/CVE-2016-6366-$STAMP.log"
exec > >(tee -a "$LOGFILE") 2>&1

echo "[1/5] Detect installed Adaptive Security Appliance (ASA)"
if command -v dpkg >/dev/null 2>&1; then
    dpkg -l | grep -i "adaptive" || true
elif command -v rpm >/dev/null 2>&1; then
    rpm -qa | grep -i "adaptive" || true
fi

echo "[2/5] Backup config"
for d in /etc/adaptive /opt/adaptive /usr/local/adaptive; do
    if [[ -d "$d" ]]; then
        tar czf "$LOG/CVE-2016-6366-$(basename $d)-$STAMP.tgz" "$d"
        echo "  Backup -> $LOG/CVE-2016-6366-$(basename $d)-$STAMP.tgz"
    fi
done

echo "[3/5] Apply patch (target: the patched build)"
if command -v apt-get >/dev/null 2>&1; then
    sudo apt-get update
    sudo apt-get install --only-upgrade "adaptive" -y
elif command -v dnf >/dev/null 2>&1; then
    sudo dnf upgrade "adaptive" --security -y
elif command -v yum >/dev/null 2>&1; then
    sudo yum update "adaptive" --security -y
elif command -v zypper >/dev/null 2>&1; then
    sudo zypper patch --category security
fi

echo "[4/5] Verify"
if systemctl status "adaptive" >/dev/null 2>&1; then
    sudo systemctl restart "adaptive"
    systemctl is-active "adaptive"
fi
command -v "adaptive" >/dev/null 2>&1 && "adaptive" --version || true

echo "[5/5] CVE-2016-6366 remediation script complete. Log: $LOGFILE"

If you can't patch immediately

Restrict the management plane (Windows firewall, PowerShell)

New-NetFirewallRule -DisplayName 'Restrict-mgmt-CVE-2016-6366' -Direction Inbound -Action Block -Protocol TCP -LocalPort 443,8443,3389 -RemoteAddress Any
New-NetFirewallRule -DisplayName 'Allow-mgmt-admin-allowlist' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443,8443,3389 -RemoteAddress 10.0.0.0/24

Restrict the management plane (Linux nftables)

sudo nft add table inet filter 2>/dev/null || true
sudo nft 'add chain inet filter input { type filter hook input priority 0; }' 2>/dev/null || true
sudo nft add rule inet filter input ip saddr 10.0.0.0/24 tcp dport { 443, 8443, 22 } accept
sudo nft add rule inet filter input tcp dport { 443, 8443, 22 } drop

How to verify the fix worked

1. Re-run the version command from the fix section. The output must match the patched build listed in the vendor advisory for your branch.
2. Re-run an authenticated vulnerability scan (Nessus, Qualys, OpenVAS, Defender Vulnerability Management) targeting the patched host. CVE-2016-6366 must no longer be reported.
3. Pull the latest service logs and search for the exploitation signatures in the vendor advisory. Treat any match before the patch timestamp as a possible compromise: isolate the host, rotate credentials the affected process could see, and run a full IR triage.
4. Confirm any compensating control you put in place (firewall rules, sysctl, registry edits) is either intentionally left in place or rolled back, with the change documented in your CMDB.

Frequently asked questions

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2026-20133: Information Disclosure in Cisco Catalyst SD-WAN Manager — Information Disclosure in Cisco Catalyst SD-WAN Manager
• How to Fix CVE-2026-20031: Uncaught exception in Cisco Secure Endpoint — Uncaught exception in Cisco Secure Endpoint
• How to Fix CVE-2023-20078: Stack-based Buffer Overflow in Cisco IP Phones with Multiplatform Firmware , Stack-based Buffer Overflow in Cisco IP Phones with Multiplatform Firmware
• How to Fix CVE-2026-20170: Neutralization of script-related html tags in flaw in Cisco Webex Contact Center , Neutralization of script-related html tags in flaw in Cisco Webex Contact Center
• How to Fix CVE-2026-20100: Buffer overflow in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software , Buffer overflow in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software

Is CVE-2016-6366 being exploited right now?

Yes. CVE-2016-6366 is in the CISA Known Exploited Vulnerabilities catalog, added 2022-05-24. CISA only lists CVEs with confirmed active exploitation.

What is the CVSS score for CVE-2016-6366?

CVSS 8.8 (High). Use it together with your exposure picture (internet-facing first, then DMZ, then internal) when you set the patch order.

Can I run the fix without downtime?

It depends on the platform. Network appliances often support hitless HA upgrades (upgrade the standby, fail over, upgrade the former primary). Application servers usually need a service restart. Clustered services (Elasticsearch, Tomcat behind a load balancer, MySQL replicas) tolerate a rolling upgrade. Schedule a maintenance window if HA is not in place.

What if my version is not in the affected list?

Re-check the build string in the vendor advisory linked below. CVE records reflect the affected-products list at publication. Variants discovered later are added to the same advisory or a follow-up CVE.

References

• Official vendor advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2016-6366
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• http://www.securityfocus.com/bid/92521
• https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40258.zip
• http://blogs.cisco.com/security/shadow-brokers
• http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516

*This guide was assembled from the official vendor advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the vendor advisory before applying changes in production.*