PatchSiren cyber security CVE debrief

CVE-2016-8369 Lynxspring CVE debrief

CVE-2016-8369 is a cross-site request forgery (CSRF) vulnerability in Lynxspring JENEsys BAS Bridge versions 1.1.8 and earlier. The issue is that the application does not sufficiently verify whether a request was intentionally made by the authenticated user, which can allow unintended actions to be triggered through a victim’s browser session. NVD rates the issue as HIGH severity with a CVSS v3.0 score of 8.8.

Vendor: Lynxspring
Product: CVE-2016-8369
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Organizations using Lynxspring JENEsys BAS Bridge, especially building automation and industrial control environments where web-based administrative sessions may be active. Security and operations teams responsible for BAS management interfaces should also treat this as relevant because CSRF can let an attacker leverage a valid user session.

Technical summary

NVD maps the weakness to CWE-352 (Cross-Site Request Forgery) and lists affected Lynxspring JENEsys BAS Bridge versions through 1.1.8. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network reachability, low attack complexity, no privileges required, but user interaction is required. The impact rating is high across confidentiality, integrity, and availability because a forged request may execute actions in the context of a legitimate user session.

Defensive priority

High. The combination of network reachability, no privileges required, and high potential impact makes this important to address promptly, particularly in environments where administrative web sessions are used or exposed.

Recommended defensive actions

Upgrade or replace Lynxspring JENEsys BAS Bridge versions 1.1.8 and earlier with a fixed version if one is available from the vendor.
Review and follow the mitigation guidance in ICS-CERT advisory ICSA-16-320-01.
Limit access to the BAS Bridge management interface to trusted administrative networks and users.
Reduce the risk of session abuse by ensuring users log out of administrative interfaces when not in use and by minimizing concurrent privileged browsing activity.
Validate that any web-facing management features have appropriate CSRF protections in place before restoring or expanding exposure.

Evidence notes

The vulnerability description, affected version range, CVSS vector, and CWE mapping come from NVD. The record also includes ICS-CERT advisory references (ICSA-16-320-01) and a SecurityFocus BID entry as supporting references. No KEV entry was provided in the source corpus, and no exploit details are included here.

Official resources

CVE-2016-8369 CVE record
CVE.org
CVE-2016-8369 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Mitigation, Third Party Advisory, US Government Resource

Publicly disclosed in NVD on 2017-02-13, with ICS-CERT advisory references tied to the same disclosure period. The source record was last modified on 2026-05-13. No Known Exploited Vulnerabilities (KEV) listing was provided in the supplied,