BCY-ADV-2026-005 HIGH 7.5

WPAD Proxy Hijack — Network Traffic Interception
CVE-2016-3236 · Same-Network Attack · All Web Traffic at Risk

CVE-2016-3236WPADProxy HijackMitMNetworkGuest WiFi

Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026

What This Is

WPAD (Web Proxy Auto-Discovery) allows any attacker on the same network to silently intercept all web traffic from vulnerable Windows machines. No exploit code required — standard network position is sufficient. Any device on the same network segment as the target can execute this attack. Particularly effective in hospitality, hotel, coworking, and public WiFi environments where guest networks are shared.

On a shared network — hotel guest WiFi, office LAN, coworking space — any device on the same subnet can silently proxy all web traffic from any Windows machine that has not disabled WPAD.

CVE Details

CVE: CVE-2016-3236
CVSS v3: 7.5 HIGH
CWE: CWE-20 Improper Input Validation
Patch: MS16-077 (June 2016)
Affected: All Windows versions with WPAD auto-detect enabled (default)

How It Works

Windows machines broadcast DNS and NetBIOS queries for "wpad" on startup and periodically. A tool like Responder answers these queries, directing the victim to download a malicious wpad.dat proxy configuration file. The victim's browser then routes all traffic through the attacker's proxy. HTTP traffic is read in plaintext. HTTPS sessions can be SSL-stripped, downgrading encrypted connections to unencrypted. Credentials, session cookies, and sensitive data are exposed.

Detection

Check WPAD status (PowerShell):

# User-level WPAD status Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" ` -ErrorAction SilentlyContinue # System-level WPAD status Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" ` -ErrorAction SilentlyContinue # Check current proxy settings Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | Select-Object ProxyEnable, ProxyServer, AutoConfigURL

# Safe result: WpadOverride : 1 (user level — WPAD disabled) DisableWpad : 1 (system level — WPAD disabled)

IOCs

Protocol DNS queries for "wpad" or "wpad.<domain>" from endpoints Attack Tool Responder, mitm6, Metasploit WPAD modules Network HTTP GET /wpad.dat requests to unexpected hosts Proxy Sudden proxy configuration appearing in browser settings SSL Certificate warnings or errors on HTTPS sites (SSL stripping) Traffic Unexpected outbound connections to unfamiliar IP on port 8080/3128

Mitigation — PowerShell Commands

Step 1 — Disable WPAD at user level:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /v WpadOverride /t REG_DWORD /d 1 /f

Step 2 — Disable WPAD at system level:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /v DisableWpad /t REG_DWORD /d 1 /f

Step 3 — Disable proxy auto-detect via policy:

reg add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect /t REG_DWORD /d 0 /f

Verify both are set:

Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"

Sources

— NVD — CVE-2016-3236
— Microsoft Security Bulletin MS16-077
— MITRE ATT&CK T1557.001 (related)

BCY-ADV-2026-005 · Published May 2026 · Barr Cyber LLC · Kalispell, MT

Questions? warren@barr-cyber.com

Barr Cyber — Network Hardening & Security

WPAD poisoning is particularly dangerous in shared network environments including hospitality properties. Barr Cyber network hardening disables WPAD alongside LLMNR and NetBIOS as a standard control set.

Get in Touch →

← PrintNightmare LPE All Advisories Next — Spectre / Meltdown →

WPAD Proxy Hijack — Network Traffic InterceptionCVE-2016-3236 · Same-Network Attack · All Web Traffic at Risk

WPAD Proxy Hijack — Network Traffic Interception
CVE-2016-3236 · Same-Network Attack · All Web Traffic at Risk