PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-2783 Avaya CVE debrief

CVE-2016-2783 is a critical Avaya Fabric Connect Virtual Services Platform (VSP) Operating System Software vulnerability in the handling of VLAN and I-SIS indexes. According to the supplied description, a remote attacker can abuse crafted Ethernet frames to obtain unauthorized access on affected systems. The supplied NVD record classifies the issue as CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), which is consistent with a network-reachable flaw that requires no privileges and no user interaction. The CVE description states affected versions are VOSS before 4.2.3.0 and 5.x before 5.0.1.0; the NVD CPE criteria in the supplied corpus enumerate vulnerable versions up to 4.2.2.0 and 5.0.0.0.

Vendor
Avaya
Product
CVE-2016-2783
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Network, infrastructure, and security teams operating Avaya Fabric Connect VSP environments, especially any deployment running VOSS versions earlier than 4.2.3.0 or 5.x earlier than 5.0.1.0.

Technical summary

The vulnerability is categorized by NVD as CWE-19 and scored CVSS 3.0 9.8 Critical with network attack vector, low complexity, and no required privileges or user interaction. The flaw is described as improper handling of VLAN and I-SIS indexes, which can allow unauthorized access through crafted Ethernet frames. The supplied record ties the issue to Avaya VSP Operating System Software and includes affected-version criteria for VOSS through 4.2.2.0 and 5.0.0.0, while the CVE description expresses the broader affected ranges as before 4.2.3.0 and 5.x before 5.0.1.0.

Defensive priority

Urgent: treat as a high-priority patching and exposure-control issue for any reachable Avaya VSP/VOSS deployment in the affected version ranges.

Recommended defensive actions

  • Inventory Avaya Fabric Connect VSP / VOSS deployments and confirm whether any system is running an affected version.
  • Upgrade affected systems to a fixed release that is outside the vulnerable ranges described in the CVE record.
  • Review network segmentation and access assumptions around these devices; the attack path is remote and uses crafted Ethernet frames.
  • Restrict management and control-plane reachability to trusted administrative networks wherever possible.
  • Monitor the NVD record and linked references for any version clarifications or remediation notes.

Evidence notes

The debrief is based only on the supplied CVE/NVD corpus. The core facts come from the CVE description and the NVD record: vulnerable Avaya VSP Operating System Software versions, remote unauthorized access via crafted Ethernet frames, CVSS 3.0 9.8, and CWE-19. The supplied record was published on 2017-01-23 and last modified on 2026-05-13. NVD also lists SecurityFocus BID 92157 and a Packet Storm reference; their contents were not included in the corpus, so they are cited only as linked references.

Official resources

Publicly disclosed in the CVE/NVD record on 2017-01-23. The supplied NVD record was last modified on 2026-05-13.