CVE-2016-6562

ShoreTel Mobility Client for iOS and Android, version 9.1.3.109 and earlier, fails to properly validate SSL certificates provided by HTTPS connections

Description

On iOS and Android devices, the ShoreTel Mobility Client app version 9.1.3.109 fails to properly validate SSL certificates provided by HTTPS connections, which means that an attacker in the position to perform MITM attacks may be able to obtain sensitive account information such as login credentials.

Remediation

Solution:

  • ShoreTel has released version 9.1.5.104 for all devices to address the vulnerability.

Category

7.5
CVSS
Severity: High
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.14%
Third-Party Advisory cert.org Third-Party Advisory info-sec.ca Third-Party Advisory securityfocus.com
Affected: ShoreTel Mobility Client iOS
Affected: ShoreTel Mobility Client Andoid
Published at:
Updated at:

References

Link Tags
https://www.info-sec.ca/advisories/ShoreTel-Mobility.html third party advisory
https://www.kb.cert.org/vuls/id/475907 third party advisory us government resource
https://www.securityfocus.com/bid/95224 third party advisory vdb entry

Frequently Asked Questions

What is the severity of CVE-2016-6562?
CVE-2016-6562 has been scored as a high severity vulnerability.
How to fix CVE-2016-6562?
To fix CVE-2016-6562: ShoreTel has released version 9.1.5.104 for all devices to address the vulnerability.
Is CVE-2016-6562 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2016-6562 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-6562?
CVE-2016-6562 affects ShoreTel Mobility Client iOS, ShoreTel Mobility Client Andoid .
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.