CVE-2016-9463

Public Exploit

Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.

Categories

8.1
CVSS
Severity: High
CVSS 3.0 •
CVSS 2.0 •
EPSS 3.86% Top 15%
Vendor Advisory nextcloud.com Vendor Advisory owncloud.org
Affected: n/a Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9
Published at:
Updated at:

References

Link Tags
https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274 issue tracking third party advisory patch
https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791 issue tracking third party advisory patch
https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/ exploit third party advisory technical description
https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732 issue tracking third party advisory patch
https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3 issue tracking third party advisory patch
https://hackerone.com/reports/148151 third party advisory exploit
https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087 issue tracking third party advisory patch
https://owncloud.org/security/advisory/?id=oc-sa-2016-017 patch vendor advisory
https://nextcloud.com/security/advisory/?id=nc-sa-2016-006 patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2016-9463?
CVE-2016-9463 has been scored as a high severity vulnerability.
How to fix CVE-2016-9463?
To fix CVE-2016-9463, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-9463 being actively exploited in the wild?
It is possible that CVE-2016-9463 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~4% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-9463?
CVE-2016-9463 affects n/a Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.