CVE-2017-5145 Carlosgavazzi CVE debrief

Who should care

Industrial control, building automation, and energy-management teams that operate Carlo Gavazzi VMU-C EM or VMU-C PV devices should care, especially administrators responsible for web-based device management, network segmentation, and firmware lifecycle management.

Technical summary

NVD lists the weakness as CWE-352 (CSRF) with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability affects VMU-C EM firmware versions before A11_U05 and VMU-C PV firmware versions before A17. The impact described in the CVE is unauthorized execution of device actions, including changing configuration parameters and saving altered settings.

Defensive priority

Critical. The combination of network attackability, no privileges, and potential impact to configuration integrity makes this a priority remediation item for any exposed or remotely managed deployment.

Recommended defensive actions

• Upgrade VMU-C EM firmware to Version A11_U05 or later.
• Upgrade VMU-C PV firmware to Version A17 or later.
• Restrict management access to trusted administrative networks and users only.
• Review whether the device web interface is reachable from untrusted segments and remove unnecessary exposure.
• Validate that administrative workflows do not rely on unsafe browser sessions or shared endpoints.
• Monitor and audit configuration changes on affected devices for unexpected modifications.

Evidence notes

This debrief is based on the CVE description and NVD metadata supplied in the source corpus. The CVE states the affected firmware thresholds and the CSRF impact directly. NVD identifies CWE-352 and the CVSS v3.0 vector. Official reference links include the CVE record and NVD detail page, plus the ICS-CERT advisory referenced in the NVD record. The CVE publication date used here is 2017-02-13; the later 2026-05-13 modified date is a metadata update, not the issue date.

Official resources