PatchSiren cyber security CVE debrief

CVE-2017-2766 Emc CVE debrief

CVE-2017-2766 is a critical EMC Documentum eRoom issue involving an unverified password change vulnerability. NVD rates it CVSS 3.0 9.8 with network access, no privileges required, and no user interaction. In practical terms, the flaw can let a malicious actor change credentials without proper verification and potentially compromise the affected system.

Vendor: Emc
Product: CVE-2017-2766
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-03
Original CVE updated: 2026-05-13
Advisory published: 2017-02-03
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for EMC Documentum eRoom deployments, especially environments running version 7.4.4, 7.4.4 SP1, and versions prior to 7.4.5 P04 or 7.5.0 P01. Identity, application, and incident response teams should also pay attention because the weakness affects password handling.

Technical summary

The CVE is mapped to CWE-640 and described as an unverified password change weakness in EMC Documentum eRoom. NVD assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with no required authentication or user interaction and severe impact if abused. The supplied record lists affected CPEs for eRoom 7.4.4, 7.4.4 SP1, 7.4.5, 7.4.5 P01-P03, and 7.5.0, while the prose description highlights remediation boundaries of prior to 7.4.5 P04 and prior to 7.5.0 P01.

Defensive priority

High. This is a critical authentication-related flaw with potential for full compromise, and the CVSS vector indicates straightforward remote exploitation conditions.

Recommended defensive actions

Confirm whether EMC Documentum eRoom is deployed anywhere in the environment and inventory all affected instances.
Prioritize applying the vendor-fixed releases or patches referenced by the advisory materials for the affected versions.
Restrict network exposure to eRoom management and password-related functionality until remediation is complete.
Review authentication and password-change logs for unexpected credential resets or account takeover indicators.
If compromise is suspected, force credential resets for impacted accounts and investigate adjacent system access.

Evidence notes

Primary evidence comes from the supplied NVD record and CVE description: the flaw is an unverified password change vulnerability in EMC Documentum eRoom, with CVSS 9.8 and CWE-640. The CVE description states affected versions include eRoom 7.4.4, 7.4.4 SP1, prior to 7.4.5 P04, and prior to 7.5.0 P01. The NVD CPE criteria also enumerate 7.4.5, 7.4.5 P01-P03, and 7.5.0 as vulnerable entries. Because the prose and CPE expressions differ, treat the CVE description as the clearest scope statement and use the NVD detail page and linked advisories for validation.

Official resources

CVE-2017-2766 CVE record
CVE.org
CVE-2017-2766 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

The CVE was publicly published on 2017-02-03T07:59:00.560Z. The supplied NVD record was last modified on 2026-05-13T00:24:29.033Z. No KEV publication or ransomware linkage was supplied.