Critical severity9.8CISA KEVNVD Advisory· Published Jun 7, 2016· Updated Jun 17, 2026
CVE-2016-4437
CVE-2016-4437
Description
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.2.5 | 1.2.5 |
Affected products
5- cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
Patches
Vulnerability mechanics
References
11- packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.htmlnvdThird Party AdvisoryVDB EntryWEB
- rhn.redhat.com/errata/RHSA-2016-2035.htmlnvdThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2016-2036.htmlnvdThird Party AdvisoryWEB
- www.securityfocus.com/archive/1/538570/100/0/threadednvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/bid/91024nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-p836-389h-j692ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4437ghsaADVISORY
- lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3EnvdMailing ListWEB
- lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3EghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
News mentions
2- New SharkLoader Malware Deploys Cobalt Strike in StrikeShark CyberattacksThe Hacker News · Jun 26, 2026
- StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoaderSecurelist · Jun 24, 2026