CVE-2016-9345 Emerson CVE debrief

Who should care

Operators and administrators of Emerson DeltaV environments, especially sites running DeltaV Easy Security Management V12.3, V12.3.1, or V13.3. Security teams responsible for Windows-based ICS workstations, privilege management, and access control within control-system engineering environments should prioritize review.

Technical summary

The NVD record maps this issue to vulnerable DeltaV Easy Security Management versions 12.3, 12.3.1, and 13.3. The core weakness is categorized as CWE-264 (permissions, privileges, and access controls). The published CVSS vector is CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L, indicating a privilege-related issue with significant prerequisite access and a potential impact beyond the vulnerable component. The CVE description specifically states that a local attacker may be able to elevate privileges within the DeltaV control system.

Defensive priority

Medium. This is not marked as KEV and no ransomware linkage was supplied, but it affects industrial control system software and could enable unauthorized privilege gain. Treat as a targeted-hardening issue for affected DeltaV deployments, especially where engineering workstations or operator systems expose privileged local access paths.

Recommended defensive actions

• Inventory Emerson DeltaV installations and confirm whether Easy Security Management versions V12.3, V12.3.1, or V13.3 are present.
• Review vendor and ICS-CERT guidance linked from the record and apply any available remediation or compensating controls.
• Restrict local and adjacent access to DeltaV engineering and operator systems to only trusted administrators and required service accounts.
• Minimize privileged logon access on affected hosts and remove unnecessary administrative rights.
• Monitor for unusual privilege changes, account modifications, or policy tampering on DeltaV-related systems.
• Validate segmentation between control-system assets and general enterprise networks to reduce reachable attack paths.

Evidence notes

All substantive claims are drawn from the supplied NVD CVE record and its references. The record states the affected Emerson DeltaV Easy Security Management versions, the privilege-escalation impact, CVSS 6.8/Medium, the CVSS v3.0 vector, and CWE-264. Reference links include the official CVE record, NVD detail page, and the ICS-CERT advisory URL listed in the source corpus. No vendor patch details or exploit specifics were used because they were not present in the supplied corpus.

Official resources