Medium severity4.3NVD Advisory· Published Jan 30, 2017· Updated May 13, 2026

CVE-2015-7976

Description

The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3.x fails to sanitize special characters in filenames, potentially allowing arbitrary file overwrite.

Vulnerability

The bug resides in the ntpq saveconfig command, which writes the current NTP configuration to a file. The command does not properly filter special characters (e.g., directory traversal or shell metacharacters) in the filename argument. This affects NTP versions 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 [1][2][3][4]. An attacker must have access to issue the saveconfig command, typically requiring authentication to ntpq.

Exploitation

An attacker with ntpq access can craft a filename containing dangerous characters such as ../ or shell metacharacters. When the saveconfig command is executed with this filename, the daemon writes the configuration to the unintended path, potentially overwriting arbitrary files. No user interaction beyond issuing the command is required [3][4].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system, which could lead to privilege escalation, denial of service, or other unauthorized changes. The impact is file write compromise, though remote code execution is not demonstrated in the references [3][4].

Mitigation

The vulnerability is fixed in NTP version 4.2.8p6, released on 2016-01-19 [1][2]. Users should upgrade to 4.2.8p6 or later. Workarounds include restricting access to the ntpq saveconfig command via configuration or network access controls. Cisco, FreeBSD, and Ubuntu have released updates addressing this issue [1][2][4]. No KEV listing is available.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

133

Ntp/Ntp93 versions
cpe:2.3:a:ntp:ntp:4.1.2:*:*:*:*:*:*:*+ 92 more
- cpe:2.3:a:ntp:ntp:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.18:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.27:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.29:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.30:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.31:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.32:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.33:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.34:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.35:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.36:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.37:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.38:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.39:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.40:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.41:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.42:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.43:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.44:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.45:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.46:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.47:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.48:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.49:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.50:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.51:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.52:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.53:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.54:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.55:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.56:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.57:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.58:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.59:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.60:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.61:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.62:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.63:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.64:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.65:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.66:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.67:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.68:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.69:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.70:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.71:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.72:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.73:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.74:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.75:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.76:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.77:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.78:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.79:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.80:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.81:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.82:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.83:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.84:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.85:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.86:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.87:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.88:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.89:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:*:p5:*:*:*:*:*:*range: <=4.2.8
- (no CPE)range: <=4.2.8p5
SUSE S.A./Linux Enterprise Debuginfo3 versions
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp2:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp2:*:*:*:*:*:*
- cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp3:*:*:*:*:*:*
- cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:*
SUSE S.A./Manager
cpe:2.3:a:suse:manager:2.1:*:*:*:*:*:*:*
SUSE S.A./Manager Proxy
cpe:2.3:a:suse:manager_proxy:2.1:*:*:*:*:*:*:*
Novell/Suse Openstack Cloud
cpe:2.3:o:novell:suse_openstack_cloud:5:*:*:*:*:*:*:*
OpenSUSE/Leap
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
OpenSUSE/openSUSE
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
SUSE S.A./Linux Enterprise Desktop2 versions
cpe:2.3:o:suse:linux_enterprise_desktop:12:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:suse:linux_enterprise_desktop:12:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1:*:*:*:*:*:*
SUSE S.A./Linux Enterprise Server6 versions
cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:ltss:*:*:*+ 5 more
- cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:ltss:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:ltss:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*
osv-coords24 versions
pkg:rpm/opensuse/ntp&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1 pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATA pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012 pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1 pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012 pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/ntp&distro=SUSE%20Manager%202.1 pkg:rpm/suse/ntp&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/ntp&distro=SUSE%20OpenStack%20Cloud%205 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%2012 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012 pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1
< 4.2.8p9-1.1+ 23 more
- (no CPE)range: < 4.2.8p9-1.1
- (no CPE)range: < 4.2.8p6-46.5.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-46.5.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-46.5.2
- (no CPE)range: < 4.2.8p6-8.2
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 4.2.8p6-41.1
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2
- (no CPE)range: < 2.17.14.1-1.12.1
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2
- (no CPE)range: < 3.1.12.4-8.2
- (no CPE)range: < 3.1.22-6.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-updates/2016-05/msg00114.htmlnvdThird Party Advisory
support.ntp.org/bin/view/Main/NtpBug2938nvdVendor Advisory
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpdnvdThird Party Advisory
www.securitytracker.com/id/1034782nvdThird Party AdvisoryVDB Entry
www.ubuntu.com/usn/USN-3096-1nvdThird Party Advisory
bto.bluecoat.com/security-advisory/sa113nvdThird Party Advisory
security.gentoo.org/glsa/201607-15nvdThird Party Advisory
www.kb.cert.org/vuls/id/718152nvdThird Party AdvisoryUS Government Resource
security.freebsd.org/advisories/FreeBSD-SA-16:09.ntp.ascnvd
security.netapp.com/advisory/ntap-20171031-0001/nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000