PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-2274 Adcon Telemetry CVE debrief

CVE-2016-2274 is a cross-site scripting (XSS) weakness in the Adcon Telemetry A850 Telemetry Gateway Base Station web interface. According to the CVE record and NVD, user-controllable input is not properly neutralized before being placed into output, which can let a remote attacker influence what the browser renders. The issue was publicly disclosed on 2017-02-13 and later updated in NVD on 2026-05-13. The listed CVSS v3.0 score is 6.1 (Medium), reflecting network exposure, required user interaction, and impacts limited to confidentiality and integrity.

Vendor
Adcon Telemetry
Product
CVE-2016-2274
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-13
Original CVE updated
2026-05-13
Advisory published
2017-02-13
Advisory updated
2026-05-13

Who should care

Organizations that operate or maintain Adcon Telemetry A850 Telemetry Gateway Base Station firmware, especially teams exposing the web interface to users or admins over a network. Security teams should also care if the gateway is used in operational technology or remote monitoring environments where browser-based management is common.

Technical summary

NVD classifies the weakness as CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS). The vulnerable component is the A850 Telemetry Gateway Base Station firmware/web interface, with the affected CPE listed as cpe:2.3:o:adcon_telemetry:a850_telemetry_gateway_base_station_firmware:-:*:*:*:*:*:*:* . The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates a remotely reachable issue that requires a victim to interact with the web content. The practical effect is browser-side script execution in a user’s session, which can expose or alter web interface data within the scope of that user’s browser context.

Defensive priority

Medium. The issue is publicly known, network-reachable, and requires user interaction, so it should be addressed in normal vulnerability management and OT/ICS hardening cycles rather than treated as a zero-interaction critical flaw.

Recommended defensive actions

  • Confirm whether any deployed Adcon Telemetry A850 Telemetry Gateway Base Station firmware matches the affected CPE listed in NVD.
  • Review the official CVE and ICS-CERT references for vendor-specific mitigation guidance before making changes.
  • Restrict access to the device web interface to trusted administrative networks only.
  • Use segmentation, firewall rules, and management-plane ACLs to reduce who can reach the interface.
  • Apply any vendor remediation or firmware update identified in the official advisory if available.
  • Validate browser and session protections for administrative users, including least-privilege access and secure handling of authenticated sessions.
  • Monitor for unusual input patterns or suspicious web requests against the management interface.

Evidence notes

This debrief is based only on the supplied NVD/CVE corpus and linked official references. The core facts are: an XSS issue in the Adcon Telemetry A850 Telemetry Gateway Base Station web interface, CWE-79 classification, CVSS v3.0 6.1 Medium, and the affected firmware CPE. No exploit steps, proof-of-concept code, or unverified remediation details are included. NVD references point to an ICS-CERT advisory and a SecurityFocus VDB entry; the ICS-CERT advisory is the more authoritative mitigation reference in the provided source set.

Official resources

Publicly disclosed in NVD/CVE on 2017-02-13; NVD record was modified on 2026-05-13. The advisory references in the supplied corpus point to an ICS-CERT bulletin and a SecurityFocus VDB entry.