CVE-2017-5146 Carlosgavazzi CVE debrief

Who should care

Asset owners, operators, and administrators responsible for Carlo Gavazzi VMU-C EM and VMU-C PV devices should treat this as relevant, especially OT/ICS teams that manage firmware baselines, device access controls, or backups containing device data.

Technical summary

NVD classifies the weakness as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and rates it CVSS 3.0 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The core issue is that sensitive information is stored in clear text in affected firmware, creating confidentiality risk if the stored data is exposed. NVD lists vulnerable firmware for VMU-C EM prior to A11_U05 and VMU-C PV prior to A17.

Defensive priority

High. The issue is already publicly disclosed and has a CVSS score of 7.5 with high confidentiality impact. Prioritize remediation for any deployed affected firmware and any environments where device data, images, or backups may be accessible.

Recommended defensive actions

• Upgrade VMU-C EM firmware to A11_U05 or later.
• Upgrade VMU-C PV firmware to A17 or later.
• Inventory all deployed VMU-C EM and VMU-C PV devices to identify affected firmware versions.
• Review where device data, backups, or exported configuration files are stored and restrict access to them.
• If sensitive material may have been exposed, rotate or replace any secrets that could have been stored on the device.
• Verify that only authorized personnel can access the devices and related management interfaces.

Evidence notes

The CVE was published on 2017-02-13 and later modified in NVD on 2026-05-13; the issue date should be taken from the CVE publication timestamp, not the modification date. The supplied NVD record cites CVSS 3.0 7.5 HIGH, CWE-200, and firmware thresholds for VMU-C EM and VMU-C PV. References in the source corpus include ICS-CERT advisory ICSA-17-012-03 and SecurityFocus BID 95411.

Official resources