{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"Command Injection in Command Line Interface"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2016-3654","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-11T00:53:32.143Z","generator":{"date":"2026-04-11T00:53:32.143Z","engine":{"name":"Vulnogram","version":"0.0.9"}},"id":"CVE-2016-3654","initial_release_date":"2016-02-24T18:30:00.000Z","revision_history":[{"number":"1","date":"2026-04-10T17:53:32.000Z","summary":"Initial release"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[]}]},"vulnerabilities":[{"cve":"CVE-2016-3654","product_status":{"fixed":["PANW-PAN-OS-458","PANW-PAN-OS-459","PANW-PAN-OS-460","PANW-PAN-OS-467","PANW-PAN-OS-470"],"known_affected":["PANW-PAN-OS-464","PANW-PAN-OS-471","PANW-PAN-OS-465","PANW-PAN-OS-466","PANW-PAN-OS-469"]},"notes":[{"category":"description","text":"Palo Alto Networks firewalls implement a command line interface for interactive configuration through a serial interface or a remote SSH session. An issue was identified that can cause incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level. This vulnerability requires successful authentication but can be used to execute OS commands with root privileges if the logged on user has administrative privileges. (Ref #89706) (CVE-2016-3654)\nThis vulnerability is exploitable only by authenticated administrators that are granted access to the device management CLI.\nThis issue affects PAN-OS releases 5.0.17 and prior; 5.1.10 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.5 and prior"}],"references":[{"category":"external","summary":"NVD - CVE-2016-3654","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3654"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2016-3654","url":"https://security.paloaltonetworks.com/CVE-2016-3654"}],"threats":[{"category":"impact","description":"Palo Alto Networks firewalls implement a command line interface for interactive configuration through a serial interface or a remote SSH session. An issue was identified that can cause incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level. This vulnerability requires successful authentication but can be used to execute OS commands with root privileges if the logged on user has administrative privileges. (Ref #89706) (CVE-2016-3654)\nThis vulnerability is exploitable only by authenticated administrators that are granted access to the device management CLI.\nThis issue affects PAN-OS releases 5.0.17 and prior; 5.1.10 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.5 and prior"}],"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"products":["PANW-PAN-OS-464","PANW-PAN-OS-471","PANW-PAN-OS-465","PANW-PAN-OS-466","PANW-PAN-OS-469"]}]}]}