{"api_version":"1","generated_at":"2026-05-13T13:00:36+00:00","cve":"CVE-2016-4863","urls":{"html":"https://cve.report/CVE-2016-4863","api":"https://cve.report/api/cve/CVE-2016-4863.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-4863","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-4863"},"summary":{"title":"CVE-2016-4863","description":"The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when \"Internet pass-thru Mode\" is enabled, which allows attackers with access to STA side LAN can obtain files or data.","state":"PUBLISHED","assigner":"jpcert","published_at":"2017-05-22 16:29:00","updated_at":"2025-04-20 01:37:25"},"problem_types":["CWE-287","Lack of authentication mechanism"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"3.3","severity":"","vector":"AV:A/AC:L/Au:N/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:P/I:N/A:N","baseScore":3.3,"accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://jvn.jp/en/jp/JVN39619137/index.html","name":"https://jvn.jp/en/jp/JVN39619137/index.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"JVN#39619137: Toshiba FlashAir does not require authentication in \"Internet pass-thru Mode\"","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/93479","name":"http://www.securityfocus.com/bid/93479","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"Multiple Toshiba FlashAir Products CVE-2016-4863 Security Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000168","name":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000168","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-4863","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-4863","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Toshiba","product":"FlashAir SD-WD/WC series Class 6 model","version":"affected firmware version 1.00.04 and later","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir SD-WD/WC series Class 10 model W-02","version":"affected firmware version 2.00.02 and later","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir SD-WE series Class 10 model W-03","version":"affected all firmware versions","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir Class 6 model","version":"affected firmware version 1.00.04 and later","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir II Class 10 model W-02 series","version":"affected firmware version 2.00.02 and later","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir III Class 10 model W-03 series","version":"affected all firmware versions","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir Class 6 model","version":"affected firmware version 1.00.04 and later","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir W-02 series Class 10 model","version":"affected firmware version 2.00.02 and later","platforms":[]},{"source":"CNA","vendor":"Toshiba","product":"FlashAir W-03 series Class 10 model","version":"affected all firmware versions","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"4863","vulnerable":"1","versionEndIncluding":"1.00.03","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"toshiba","cpe5":"flashair","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"4863","vulnerable":"1","versionEndIncluding":"1.00.04","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"toshiba","cpe5":"flashair","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"4863","vulnerable":"1","versionEndIncluding":"1.00.06","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"toshiba","cpe5":"flashair","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"4863","vulnerable":"1","versionEndIncluding":"1.02","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"toshiba","cpe5":"flashair","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"4863","vulnerable":"1","versionEndIncluding":"2.00.03","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"toshiba","cpe5":"flashair","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"4863","vulnerable":"1","versionEndIncluding":"3.0.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"toshiba","cpe5":"flashair","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"4863","vulnerable":"1","versionEndIncluding":"3.00.01","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"toshiba","cpe5":"flashair","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T00:46:38.522Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"93479","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/93479"},{"name":"JVN#39619137","tags":["third-party-advisory","x_refsource_JVN","x_transferred"],"url":"https://jvn.jp/en/jp/JVN39619137/index.html"},{"name":"JVNDB-2016-000168","tags":["third-party-advisory","x_refsource_JVNDB","x_transferred"],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000168"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"FlashAir SD-WD/WC series Class 6 model","vendor":"Toshiba","versions":[{"status":"affected","version":"firmware version 1.00.04 and later"}]},{"product":"FlashAir SD-WD/WC series Class 10 model W-02","vendor":"Toshiba","versions":[{"status":"affected","version":"firmware version 2.00.02 and later"}]},{"product":"FlashAir SD-WE series Class 10 model W-03","vendor":"Toshiba","versions":[{"status":"affected","version":"all firmware versions"}]},{"product":"FlashAir Class 6 model","vendor":"Toshiba","versions":[{"status":"affected","version":"firmware version 1.00.04 and later"}]},{"product":"FlashAir II Class 10 model W-02 series","vendor":"Toshiba","versions":[{"status":"affected","version":"firmware version 2.00.02 and later"}]},{"product":"FlashAir III Class 10 model W-03 series","vendor":"Toshiba","versions":[{"status":"affected","version":"all firmware versions"}]},{"product":"FlashAir Class 6 model","vendor":"Toshiba","versions":[{"status":"affected","version":"firmware version 1.00.04 and later"}]},{"product":"FlashAir W-02 series Class 10 model","vendor":"Toshiba","versions":[{"status":"affected","version":"firmware version 2.00.02 and later"}]},{"product":"FlashAir W-03 series Class 10 model","vendor":"Toshiba","versions":[{"status":"affected","version":"all firmware versions"}]}],"datePublic":"2016-10-07T00:00:00.000Z","descriptions":[{"lang":"en","value":"The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when \"Internet pass-thru Mode\" is enabled, which allows attackers with access to STA side LAN can obtain files or data."}],"problemTypes":[{"descriptions":[{"description":"Lack of authentication mechanism","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-05-23T09:57:01.000Z","orgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","shortName":"jpcert"},"references":[{"name":"93479","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/93479"},{"name":"JVN#39619137","tags":["third-party-advisory","x_refsource_JVN"],"url":"https://jvn.jp/en/jp/JVN39619137/index.html"},{"name":"JVNDB-2016-000168","tags":["third-party-advisory","x_refsource_JVNDB"],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000168"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"vultures@jpcert.or.jp","ID":"CVE-2016-4863","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"FlashAir SD-WD/WC series Class 6 model","version":{"version_data":[{"version_value":"firmware version 1.00.04 and later"}]}},{"product_name":"FlashAir SD-WD/WC series Class 10 model W-02","version":{"version_data":[{"version_value":"firmware version 2.00.02 and later"}]}},{"product_name":"FlashAir SD-WE series Class 10 model W-03","version":{"version_data":[{"version_value":"all firmware versions"}]}},{"product_name":"FlashAir Class 6 model","version":{"version_data":[{"version_value":"firmware version 1.00.04 and later"}]}},{"product_name":"FlashAir II Class 10 model W-02 series","version":{"version_data":[{"version_value":"firmware version 2.00.02 and later"}]}},{"product_name":"FlashAir III Class 10 model W-03 series","version":{"version_data":[{"version_value":"all firmware versions"}]}},{"product_name":"FlashAir Class 6 model","version":{"version_data":[{"version_value":"firmware version 1.00.04 and later"}]}},{"product_name":"FlashAir W-02 series Class 10 model","version":{"version_data":[{"version_value":"firmware version 2.00.02 and later"}]}},{"product_name":"FlashAir W-03 series Class 10 model","version":{"version_data":[{"version_value":"all firmware versions"}]}}]},"vendor_name":"Toshiba"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when \"Internet pass-thru Mode\" is enabled, which allows attackers with access to STA side LAN can obtain files or data."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Lack of authentication mechanism"}]}]},"references":{"reference_data":[{"name":"93479","refsource":"BID","url":"http://www.securityfocus.com/bid/93479"},{"name":"JVN#39619137","refsource":"JVN","url":"https://jvn.jp/en/jp/JVN39619137/index.html"},{"name":"JVNDB-2016-000168","refsource":"JVNDB","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000168"}]}}}},"cveMetadata":{"assignerOrgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","assignerShortName":"jpcert","cveId":"CVE-2016-4863","datePublished":"2017-05-22T16:00:00.000Z","dateReserved":"2016-05-17T00:00:00.000Z","dateUpdated":"2024-08-06T00:46:38.522Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-05-22 16:29:00","lastModifiedDate":"2025-04-20 01:37:25","problem_types":["CWE-287","Lack of authentication mechanism"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:P/I:N/A:N","baseScore":3.3,"accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":6.5,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:toshiba:flashair:*:*:*:*:*:*:*:*","versionEndIncluding":"1.00.03","matchCriteriaId":"CBA7647D-DB43-4DD7-89B4-02CD310B8F5B"},{"vulnerable":true,"criteria":"cpe:2.3:a:toshiba:flashair:*:*:*:*:*:*:*:*","versionEndIncluding":"1.00.04","matchCriteriaId":"A3E68A5E-C899-484D-87EA-F52414B66968"},{"vulnerable":true,"criteria":"cpe:2.3:a:toshiba:flashair:*:*:*:*:*:*:*:*","versionEndIncluding":"1.00.06","matchCriteriaId":"8288D17C-1CE9-4B38-81C4-9C702E5800D9"},{"vulnerable":true,"criteria":"cpe:2.3:a:toshiba:flashair:*:*:*:*:*:*:*:*","versionEndIncluding":"1.02","matchCriteriaId":"C0CE8592-61C3-4F18-9398-3F9C2F5531A4"},{"vulnerable":true,"criteria":"cpe:2.3:a:toshiba:flashair:*:*:*:*:*:*:*:*","versionEndIncluding":"2.00.03","matchCriteriaId":"E7DB5458-E52B-497D-8B09-040FCDB13B78"},{"vulnerable":true,"criteria":"cpe:2.3:a:toshiba:flashair:*:*:*:*:*:*:*:*","versionEndIncluding":"3.00.01","matchCriteriaId":"48762E2F-044E-43C6-8221-FBFBA9C8E7E4"},{"vulnerable":true,"criteria":"cpe:2.3:a:toshiba:flashair:*:*:*:*:*:*:*:*","versionEndIncluding":"3.0.2","matchCriteriaId":"C182FF61-0D00-4AE6-94CD-38BBB47050D5"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"4863","Ordinal":"1","Title":"CVE-2016-4863","CVE":"CVE-2016-4863","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"4863","Ordinal":"1","NoteData":"The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when \"Internet pass-thru Mode\" is enabled, which allows attackers with access to STA side LAN can obtain files or data.","Type":"Description","Title":"CVE-2016-4863"},{"CveYear":"2016","CveId":"4863","Ordinal":"2","NoteData":"2017-05-22","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"4863","Ordinal":"3","NoteData":"2017-05-23","Type":"Other","Title":"Modified"}]}}}