PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-2274 Adcon Telemetry CVE debrief

CVE-2016-2274 is a cross-site scripting (XSS) weakness in the Adcon Telemetry A850 Telemetry Gateway Base Station web interface. According to the CVE record and NVD, user-controllable input is not properly neutralized before being placed into output, which can let a remote attacker influence what the browser renders. The issue was publicly disclosed on 2017-02-13 and later updated in NVD on 2026-05-13. The listed CVSS v3.0 score is 6.1 (Medium), reflecting network exposure, required user interaction, and impacts limited to confidentiality and integrity.

Vendor
Adcon Telemetry
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2016-09-11
Original CVE updated
2025-06-05
Advisory published
2016-09-11
Advisory updated
2025-06-05

Who should care

Organizations that operate or maintain Adcon Telemetry A850 Telemetry Gateway Base Station firmware, especially teams exposing the web interface to users or admins over a network. Security teams should also care if the gateway is used in operational technology or remote monitoring environments where browser-based management is common.

Technical summary

NVD classifies the weakness as CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS). The vulnerable component is the A850 Telemetry Gateway Base Station firmware/web interface, with the affected CPE listed as cpe:2.3:o:adcon_telemetry:a850_telemetry_gateway_base_station_firmware:-:*:*:*:*:*:*:* . The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates a remotely reachable issue that requires a victim to interact with the web content. The practical effect is browser-side script execution in a user’s session, which can expose or alter web interface data within the scope of that user’s browser context.

Defensive priority

Medium. The issue is publicly known, network-reachable, and requires user interaction, so it should be addressed in normal vulnerability management and OT/ICS hardening cycles rather than treated as a zero-interaction critical flaw.

Recommended defensive actions

  • Confirm whether any deployed Adcon Telemetry A850 Telemetry Gateway Base Station firmware matches the affected CPE listed in NVD.
  • Review the official CVE and ICS-CERT references for vendor-specific mitigation guidance before making changes.
  • Restrict access to the device web interface to trusted administrative networks only.
  • Use segmentation, firewall rules, and management-plane ACLs to reduce who can reach the interface.
  • Apply any vendor remediation or firmware update identified in the official advisory if available.
  • Validate browser and session protections for administrative users, including least-privilege access and secure handling of authenticated sessions.
  • Monitor for unusual input patterns or suspicious web requests against the management interface.

Evidence notes

This debrief is based only on the supplied NVD/CVE corpus and linked official references. The core facts are: an XSS issue in the Adcon Telemetry A850 Telemetry Gateway Base Station web interface, CWE-79 classification, CVSS v3.0 6.1 Medium, and the affected firmware CPE. No exploit steps, proof-of-concept code, or unverified remediation details are included. NVD references point to an ICS-CERT advisory and a SecurityFocus VDB entry; the ICS-CERT advisory is the more authoritative mitigation reference in the provided source set.

Official resources

Publicly disclosed in NVD/CVE on 2017-02-13; NVD record was modified on 2026-05-13. The advisory references in the supplied corpus point to an ICS-CERT bulletin and a SecurityFocus VDB entry.