CVE-2016-9364 Fidelex CVE debrief

Who should care

Organizations operating Fidelix FX-20 / FX-2030A controllers, especially teams responsible for OT/ICS asset inventory, patching, remote access controls, and server-side file exposure.

Technical summary

This is a CWE-22 path traversal weakness. According to the source corpus, the issue enables arbitrary file reading from the server, with no privileges required and no user interaction required. NVD maps the affected software CPEs to FX-2030A firmware and FX-2030A-basic firmware through version 11.50.18, while the CVE description states versions prior to 11.50.19 are impacted. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which aligns with a confidentiality-focused exposure.

Defensive priority

High

Recommended defensive actions

• Inventory all Fidelix FX-20 / FX-2030A deployments and confirm firmware versions.
• Prioritize upgrading affected firmware to 11.50.19 or later, consistent with the CVE description.
• Restrict network access to controller management interfaces to trusted administrative hosts only.
• Segment affected controllers from untrusted networks and limit lateral reachability.
• Review logs and file-access telemetry for unusual requests that may indicate path traversal attempts.
• Validate whether any exposed interfaces are reachable from the internet or broader enterprise networks.
• Consult the linked ICS-CERT advisory for vendor guidance and deployment-specific mitigation steps.

Evidence notes

All findings here are limited to the supplied CVE/NVD corpus and linked references. NVD lists CWE-22 and the CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The CVE description states arbitrary file reading via path traversal in Fidelix FX-20 series controllers prior to 11.50.19. NVD CPE data marks FX-2030A firmware/basic firmware through 11.50.18 as vulnerable. The source corpus also contains a naming inconsistency: the CVE description uses 'Fidelix' while the NVD CPE vendor string shows 'fidelex'.

Official resources