PatchSiren cyber security CVE debrief

CVE-2017-5165 Binom3 CVE debrief

CVE-2017-5165 is a cross-site request forgery (CSRF) issue affecting BINOM3 Universal Multifunctional Electric Power Quality Meter firmware. According to NVD, the flaw stems from missing CSRF tokens on pages and/or sensitive functions, which can let a remote attacker cause unauthorized device actions with no direct authentication, including configuration changes and saving modified settings.

Vendor: Binom3
Product: CVE-2017-5165
CVSS: HIGH 7.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Operators, maintainers, and integrators responsible for BINOM3 Universal Multifunctional Electric Power Quality Meter deployments should review this issue, especially where the device is exposed through a web interface on trusted networks or reachable from user browsers.

Technical summary

NVD identifies the weakness as CWE-352 and rates it CVSS 3.0 7.6 HIGH (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H). The supplied description says no CSRF token is generated per page and/or per sensitive function, enabling silent unauthorized actions such as configuration parameter changes and saving altered configuration. The NVD record includes a vulnerable firmware CPE for the BINOM3 meter and references ICS-CERT advisory ICSA-17-031-01A and SecurityFocus BID 93028.

Defensive priority

High for any environment where the device web interface is reachable by users who may browse untrusted content or where the device is operationally important. Because exploitation relies on user interaction but can change device configuration without direct credentials, it is a meaningful integrity and availability risk.

Recommended defensive actions

Review the device web interface for CSRF protections on all state-changing requests.
Restrict access to the management interface to trusted administrative networks only.
Use browser and network segmentation controls to reduce the chance of unintended authenticated requests.
Validate whether a vendor firmware update or advisory guidance is available through the referenced ICS-CERT advisory and NVD record.
Monitor for unexpected configuration changes and save operations on affected meters.

Evidence notes

This debrief is based only on the supplied NVD record and referenced official/linked advisories. The corpus provides the vulnerability description, CVSS vector, and CWE-352 classification, but does not include a fixed firmware version range, patch release, or exploit details. NVD lists the issue as affecting BINOM3 Universal Multifunctional Electric Power Quality Meter firmware.

Official resources

CVE-2017-5165 CVE record
CVE.org
CVE-2017-5165 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource

CVE published by NVD on 2017-02-13T21:59:02.957Z and last modified in the supplied record on 2026-05-13T00:24:29.033Z. No KEV listing is indicated in the supplied corpus.