CVE-2017-5144 Carlosgavazzi CVE debrief

Who should care

Operators, integrators, and maintainers of Carlo Gavazzi VMU-C EM and VMU-C PV deployments, especially where firmware is older than A11_U05 (EM) or A17 (PV) and the device is reachable from untrusted networks.

Technical summary

The source corpus describes an authentication/access-control failure that permits access to most application functions without authentication. NVD rates the issue as CVSS 3.0 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable exploitation with no privileges or user interaction required. NVD also leaves the weakness category as NVD-CWE-noinfo, so the source set does not provide a narrower CWE classification.

Defensive priority

Urgent / critical. If affected firmware is present, prioritize patching and reduce exposure immediately, because the flaw can be reached without authentication and is rated 9.8 critical by NVD.

Recommended defensive actions

• Inventory all Carlo Gavazzi VMU-C EM and VMU-C PV devices and identify their firmware versions.
• Upgrade VMU-C EM firmware to A11_U05 or later and VMU-C PV firmware to A17 or later.
• Restrict network exposure of affected devices until they are confirmed patched, especially any management interfaces.
• Review logs and access paths for unexpected or unauthenticated use of application functions.
• If immediate upgrading is not possible, isolate affected devices with segmentation and tightly controlled access.

Evidence notes

The CVE description states that the flaw affects VMU-C EM firmware prior to A11_U05 and VMU-C PV firmware prior to A17 and allows access to most application functions without authentication. NVD records CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and a generic weakness classification of NVD-CWE-noinfo. The CVE was published on 2017-02-13; the later 2026-05-13 modification date reflects record maintenance, not the original disclosure date.

Official resources