PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5146 Carlosgavazzi CVE debrief

CVE-2017-5146 is a high-severity information-disclosure issue in Carlo Gavazzi VMU-C EM and VMU-C PV firmware. Versions prior to VMU-C EM A11_U05 and VMU-C PV A17 store sensitive information in clear text, which can expose confidential data if the device or its stored data is accessed.

Vendor
Carlosgavazzi
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-12
Original CVE updated
2017-01-12
Advisory published
2017-01-12
Advisory updated
2017-01-12

Who should care

Asset owners, operators, and administrators responsible for Carlo Gavazzi VMU-C EM and VMU-C PV devices should treat this as relevant, especially OT/ICS teams that manage firmware baselines, device access controls, or backups containing device data.

Technical summary

NVD classifies the weakness as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and rates it CVSS 3.0 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The core issue is that sensitive information is stored in clear text in affected firmware, creating confidentiality risk if the stored data is exposed. NVD lists vulnerable firmware for VMU-C EM prior to A11_U05 and VMU-C PV prior to A17.

Defensive priority

High. The issue is already publicly disclosed and has a CVSS score of 7.5 with high confidentiality impact. Prioritize remediation for any deployed affected firmware and any environments where device data, images, or backups may be accessible.

Recommended defensive actions

  • Upgrade VMU-C EM firmware to A11_U05 or later.
  • Upgrade VMU-C PV firmware to A17 or later.
  • Inventory all deployed VMU-C EM and VMU-C PV devices to identify affected firmware versions.
  • Review where device data, backups, or exported configuration files are stored and restrict access to them.
  • If sensitive material may have been exposed, rotate or replace any secrets that could have been stored on the device.
  • Verify that only authorized personnel can access the devices and related management interfaces.

Evidence notes

The CVE was published on 2017-02-13 and later modified in NVD on 2026-05-13; the issue date should be taken from the CVE publication timestamp, not the modification date. The supplied NVD record cites CVSS 3.0 7.5 HIGH, CWE-200, and firmware thresholds for VMU-C EM and VMU-C PV. References in the source corpus include ICS-CERT advisory ICSA-17-012-03 and SecurityFocus BID 95411.

Official resources

Publicly disclosed on 2017-02-13. The NVD record was later modified on 2026-05-13, but that modification date is not the vulnerability disclosure date.