CVE-2016-6564 [High] | Security Vulnerability in Hot X507 Firmware

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.34%	2.66%	+2.32%
2	2026-01-27	0.44%	0.34%	-0.10%
3	2025-03-30	—	0.44%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.34%

2.66%

+2.32%

2026-01-27

0.44%

0.34%

-0.10%

2025-03-30

—

0.44%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.1	3.0	HIGH	`CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.2	5.9	[email protected]
9.3	2.0	HIGH	`AV:N/AC:M/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	8.6	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.1

3.0

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.2

5.9

[email protected]

9.3

2.0

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

8.6

10.0

[email protected]

Affected software / configurations for CVE-2016-6564

Vendor	Product	Version	Raw CPE
infinixauthority	hot_x507_firmware	—	cpe:2.3:o:infinixauthority:hot_x507_firmware:-:::::::*
infinixauthority	hot_2_x510_firmware	—	cpe:2.3:o:infinixauthority:hot_2_x510_firmware:-:::::::*
infinixauthority	zero_x506_firmware	—	cpe:2.3:o:infinixauthority:zero_x506_firmware:-:::::::*
infinixauthority	zero_2_x509_firmware	—	cpe:2.3:o:infinixauthority:zero_2_x509_firmware:-:::::::*
bluproducts	studio_g_firmware	—	cpe:2.3:o:bluproducts:studio_g_firmware:-:::::::*
bluproducts	studio_g_plus_firmware	—	cpe:2.3:o:bluproducts:studio_g_plus_firmware:-:::::::*
bluproducts	studio_6.0_hd_firmware	—	cpe:2.3:o:bluproducts:studio_6.0_hd_firmware:-:::::::*
bluproducts	studio_x_firmware	—	cpe:2.3:o:bluproducts:studio_x_firmware:-:::::::*
bluproducts	studio_x_plus_firmware	—	cpe:2.3:o:bluproducts:studio_x_plus_firmware:-:::::::*
bluproducts	studio_c_hd_firmware	—	cpe:2.3:o:bluproducts:studio_c_hd_firmware:-:::::::*
xolo	cube_5.0_firmware	—	cpe:2.3:o:xolo:cube_5.0_firmware:-:::::::*
beeline	pro_2_firmware	—	cpe:2.3:o:beeline:pro_2_firmware:-:::::::*
iku-mobile	colorful_k45i_firmware	—	cpe:2.3:o:iku-mobile:colorful_k45i_firmware:-:::::::*
leagoo	lead_5_firmware	—	cpe:2.3:o:leagoo:lead_5_firmware:-:::::::*
leagoo	lead_6_firmware	—	cpe:2.3:o:leagoo:lead_6_firmware:-:::::::*
leagoo	lead_3i_firmware	—	cpe:2.3:o:leagoo:lead_3i_firmware:-:::::::*
leagoo	lead_2s_firmware	—	cpe:2.3:o:leagoo:lead_2s_firmware:-:::::::*
leagoo	alfa_6_firmware	—	cpe:2.3:o:leagoo:alfa_6_firmware:-:::::::*
doogee	voyager_2_dg310i_firmware	—	cpe:2.3:o:doogee:voyager_2_dg310i_firmware:-:::::::*

References for CVE-2016-6564

URL	Tags
https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack	Exploit Third Party Advisory
https://www.kb.cert.org/vuls/id/624539	Third Party Advisory US Government Resource
https://www.securityfocus.com/bid/94393/	Third Party Advisory VDB Entry

URL

CVE-2016-6564 | Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges

Public exploit references (Exploit-DB) for CVE-2016-6564

Exploit prediction scoring system (EPSS) score for CVE-2016-6564

Common vulnerability scoring system (CVSS) metrics for CVE-2016-6564

Weakness enumeration for CVE-2016-6564

Affected software / configurations for CVE-2016-6564

References for CVE-2016-6564