CVE Tools

Description

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

In plain language

AI Act now

CVE-2016-4437 is a serious Apache Shiro weakness that lets remote attackers either run code or get around access rules, without needing a login; if your business uses Apache Shiro versions earlier than 1.2.5 (or Aurora with older versions), you should treat this as an urgent patch.

Executive summary

Apache Shiro before 1.2.5 (and Aurora <0.18.1) is vulnerable when the “remember me” feature is enabled but no cipher key is configured, allowing unauthenticated remote attackers to execute arbitrary code or bypass access restrictions.

If affected, business impact
Full application takeoverUnauthorized access to accountsCustomer or business data theftSystem disruption or outages

What to do now

  1. Check whether you use Apache Shiro (or an app/server component that bundles Shiro) and confirm the Shiro version in your deployed product stack.
  2. Check whether your Shiro “remember me” feature is enabled and whether a cipher key is configured for it.
  3. If you are running Shiro earlier than 1.2.5, upgrade to Apache Shiro 1.2.5 (or later) per the vendor fix.
  4. If you are running Aurora, upgrade Aurora to 0.18.1 or later.
Usually a quick update

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

and 1 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Nov 3, 2021
Remediation due:May 3, 2022

Required action: Apply updates per vendor instructions.

2 exploit sources identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available

References

and 7 more references View all →
2

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2016-4437 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows