PatchSiren cyber security CVE debrief

CVE-2016-8361 Lynxspring CVE debrief

CVE-2016-8361 is a high-severity authentication weakness in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. According to the CVE record, the application uses a hard-coded username with no password, which can allow an attacker to gain access without authentication. NVD classifies the issue as CWE-798 and assigns CVSS 3.0 8.6 (network reachable, no privileges required, no user interaction).

Vendor: Lynxspring
Product: CVE-2016-8361
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Organizations running Lynxspring JENEsys BAS Bridge 1.1.8 or older should treat this as urgent, especially OT/ICS and building-automation teams that expose the application on reachable networks.

Technical summary

The vulnerable product is identified in NVD as cpe:2.3:a:lynxspring:jenesys_bas_bridge with affected versions up to and including 1.1.8. The weakness is a hard-coded credential pattern: a username is embedded in the application and there is no password, resulting in unauthenticated access. NVD maps the issue to CWE-798 and rates it CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L, indicating remote attackability with no prior access required and meaningful impact if abused.

Defensive priority

High. The issue enables unauthenticated access over the network, so exposed instances should be prioritized for patching, segmentation, and access review.

Recommended defensive actions

Upgrade or replace Lynxspring JENEsys BAS Bridge if you are running version 1.1.8 or older, following vendor or ICS-CERT guidance.
Restrict network reachability to the application until remediation is complete; remove direct exposure from untrusted networks.
Audit the environment for unauthorized access or configuration changes that could indicate abuse of the unauthenticated access path.
Review and rotate any credentials, secrets, or service accounts that may be exposed through the affected system or connected integrations.
Validate asset inventory to confirm whether any deployed instances match the affected CPE and version range.

Evidence notes

The CVE record published on 2017-02-13 describes an issue in Lynxspring JENEsys BAS Bridge 1.1.8 and older where a hard-coded username with no password allows access without authentication. NVD’s modified record lists affected CPE coverage through version 1.1.8 inclusive and maps the weakness to CWE-798. The supplied data also includes NVD CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L and references an ICS-CERT mitigation advisory. No CISA KEV entry is present in the supplied enrichment data.

Official resources

CVE-2016-8361 CVE record
CVE.org
CVE-2016-8361 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Mitigation, Third Party Advisory, US Government Resource

Published in the CVE record on 2017-02-13 and last modified in the supplied NVD data on 2026-05-13. No KEV listing is present in the supplied enrichment data.