HOMEVULNERABILITIESCVE-2016-9485
HIGH

CVE-2016-9485

CWE-378Published: July 13, 2018· Updated: Jun 17, 2026

7.8
CVSS v3.1

Official Description

On Windows endpoints, the SecureConnector agent must run under the local SYSTEM account or another administrator account in order to enable full functionality of the agent. The typical configuration is for the agent to run as a Windows service under the local SYSTEM account. The SecureConnector agent runs various plugin scripts and executables on the endpoint in order to gather and report information about the host to the CounterACT management appliance. The SecureConnector agent downloads these scripts and executables as needed from the CounterACT management appliance and runs them on the endpoint. The SecureConnector agent fails to set any permissions on downloaded file objects. This allows a malicious user to take ownership of any of these files and make modifications to it, regardless of where the files are saved. These files are then executed under SYSTEM privileges. A malicious unprivileged user can overwrite these executable files with malicious code before the SecureConnector agent executes them, causing the malicious code to be run under the SYSTEM account.

NVD Source

Technical Analysis

CVE-2016-9485 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

forescout1 product(s)
secureconnector
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (4)

http://www.securityfocus.com/bid/94740Third Party Advisory · VDB Entry
https://www.kb.cert.org/vuls/id/768331Third Party Advisory · US Government Resource
http://www.securityfocus.com/bid/94740Third Party Advisory · VDB Entry
https://www.kb.cert.org/vuls/id/768331Third Party Advisory · US Government Resource

Quick Facts

CVE IDCVE-2016-9485
CVSS Score7.8 / 10
SeverityHIGH
WeaknessCWE-378
CISA KEVNo
Affected1 vendor(s)
PublishedJul 13, 2018

Related CVEs (CWE-378)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2016-9485 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.