PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5144 Carlosgavazzi CVE debrief

CVE-2017-5144 is a critical access-control flaw in Carlo Gavazzi VMU-C EM and VMU-C PV firmware. Affected versions before EM firmware A11_U05 and PV firmware A17 allow access to most application functions without authentication, so any exposed device should be treated as high risk.

Vendor
Carlosgavazzi
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-12
Original CVE updated
2017-01-12
Advisory published
2017-01-12
Advisory updated
2017-01-12

Who should care

Operators, integrators, and maintainers of Carlo Gavazzi VMU-C EM and VMU-C PV deployments, especially where firmware is older than A11_U05 (EM) or A17 (PV) and the device is reachable from untrusted networks.

Technical summary

The source corpus describes an authentication/access-control failure that permits access to most application functions without authentication. NVD rates the issue as CVSS 3.0 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable exploitation with no privileges or user interaction required. NVD also leaves the weakness category as NVD-CWE-noinfo, so the source set does not provide a narrower CWE classification.

Defensive priority

Urgent / critical. If affected firmware is present, prioritize patching and reduce exposure immediately, because the flaw can be reached without authentication and is rated 9.8 critical by NVD.

Recommended defensive actions

  • Inventory all Carlo Gavazzi VMU-C EM and VMU-C PV devices and identify their firmware versions.
  • Upgrade VMU-C EM firmware to A11_U05 or later and VMU-C PV firmware to A17 or later.
  • Restrict network exposure of affected devices until they are confirmed patched, especially any management interfaces.
  • Review logs and access paths for unexpected or unauthenticated use of application functions.
  • If immediate upgrading is not possible, isolate affected devices with segmentation and tightly controlled access.

Evidence notes

The CVE description states that the flaw affects VMU-C EM firmware prior to A11_U05 and VMU-C PV firmware prior to A17 and allows access to most application functions without authentication. NVD records CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and a generic weakness classification of NVD-CWE-noinfo. The CVE was published on 2017-02-13; the later 2026-05-13 modification date reflects record maintenance, not the original disclosure date.

Official resources

Publicly disclosed on 2017-02-13. The CVE record was later modified on 2026-05-13, but that date is record maintenance rather than the original issue date.