CVE-2017-5164 Binom3 CVE debrief

Who should care

Organizations that deploy or administer BINOM3 Universal Multifunctional Electric Power Quality Meter firmware, especially teams that manage the device’s web-facing administration or monitoring interface. Security teams should also care if users can access the interface from trusted browsers or internal networks, since the impact is on browser sessions.

Technical summary

The supplied NVD data describes an input-validation flaw where malicious client-supplied input is not properly verified by the server, enabling arbitrary script execution in another user’s browser session. NVD maps the issue to CWE-79 and provides a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating remote reachability, no privileges required, user interaction, and potential cross-session impact.

Defensive priority

Medium. The vulnerability is externally reachable and can affect browser sessions, but it requires user interaction and does not indicate availability impact in the supplied CVSS data.

Recommended defensive actions

• Review the ICS-CERT and vendor-linked guidance referenced in the NVD record for any firmware update or mitigation steps.
• Restrict access to the device management interface to trusted administrative networks and users only.
• Use account separation and least privilege for administrative browsing sessions that access the device UI.
• Monitor for unexpected script behavior, session anomalies, or unusual input reflected in the interface.
• If a firmware update is available from Binom3, validate and deploy it according to your change-control process.

Evidence notes

This debrief is based on the official NVD CVE record and the references embedded in that record. The NVD metadata identifies the weakness as CWE-79 and lists the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. References include an ICS-CERT advisory (ICSA-17-031-01A) and a SecurityFocus BID entry. The supplied enrichment does not mark this CVE as KEV.

Official resources