PatchSiren cyber security CVE debrief

CVE-2016-9357 Eaton CVE debrief

CVE-2016-9357 affects legacy Eaton ePDUs that were already past end-of-life when the issue was disclosed. The vulnerability is a path traversal flaw that may allow an unauthenticated attacker to access configuration files through a specially crafted URL. NVD rates the issue as medium severity, with network access required but no privileges or user interaction needed. Because the impacted products are no longer supported, remediation is likely to center on isolation, access restriction, and replacement rather than vendor patching.

Vendor: Eaton
Product: CVE-2016-9357
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Organizations that still operate Eaton ePDUs from the affected legacy families: EAMxxx, EMAxxx, EAMAxx, EMAAxx, and ESWAxx. This is especially relevant for industrial, facilities, and data-center teams that may have forgotten these devices on management networks or left them reachable from broader internal segments.

Technical summary

The NVD entry classifies the weakness as CWE-22 (path traversal) and lists CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The affected firmware ranges identified in the NVD data are EAMxxx prior to 06-30-2015, EMAxxx prior to 01-31-2014, EAMAxx prior to 01-31-2014, EMAAxx prior to 01-31-2014, and ESWAxx prior to 01-31-2014. The supplied description indicates the attacker may be able to access configuration files using a specially crafted URL.

Defensive priority

Medium. The confidentiality impact is limited, but the exposure is unauthenticated and network-reachable, and the affected devices are end-of-life. If any of these ePDUs remain deployed, they should be treated as legacy-risk assets and handled promptly.

Recommended defensive actions

Inventory Eaton ePDUs and confirm whether any EAMxxx, EMAxxx, EAMAxx, EMAAxx, or ESWAxx devices are still in service.
Remove any public exposure and restrict management access to tightly controlled administrative networks only.
Segment legacy ePDUs so they are not reachable from general user networks or untrusted segments.
If affected devices are still required, pursue replacement planning because the affected product lines are past end-of-life and no longer supported.
Review whether configuration files or management interfaces are exposed in ways that would make path traversal attempts feasible, and tighten local access controls accordingly.
Use the vendor and US-CERT references to confirm current mitigation guidance for your deployment environment.

Evidence notes

All factual statements are drawn from the supplied NVD record and listed references. The record states the issue is a path traversal vulnerability that may permit unauthenticated access to configuration files, and it identifies the affected Eaton ePDU legacy product families and their end-of-life status. The supplied NVD metadata also provides the CVSS 3.0 vector and CWE-22 classification. No exploit details or unsupported remediation claims are included.

Official resources

CVE-2016-9357 CVE record
CVE.org
CVE-2016-9357 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource

Publicly disclosed on 2017-02-13, based on the supplied CVE published date. The supplied record does not provide a separate issue-discovery date.