PatchSiren cyber security CVE debrief

CVE-2016-9339 Macgregor CVE debrief

CVE-2016-9339 is a path traversal vulnerability disclosed in 2017 affecting INTERSCHALT Maritime Systems VDR G4e firmware versions 5.220 and earlier. The issue stems from external input being used to build file or directory paths without adequately neutralizing special path elements, which can let an attacker read files on the system. NVD rates the issue as medium severity with a network attack vector and no required authentication or user interaction.

Vendor: Macgregor
Product: CVE-2016-9339
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Operators, integrators, and defenders responsible for INTERSCHALT Maritime Systems VDR G4e systems or related maritime recording deployments should care most, especially where the device is reachable from less trusted networks or administrative interfaces are exposed.

Technical summary

NVD maps this issue to CWE-22 (Path Traversal). The vulnerable condition is present when untrusted input is incorporated into file paths without proper validation or canonicalization. For the affected firmware range (5.220 and prior), this can allow unauthorized file read access on the device. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, reflecting network reachability, low attack complexity, no privileges, no user interaction, and confidentiality impact only.

Defensive priority

Moderate. The impact is narrower than code execution, but unauthenticated remote file read on an industrial or maritime system can still expose configuration data, credentials, logs, or operational details. Prioritize if the device is network-accessible or handles sensitive recordings.

Recommended defensive actions

Identify all deployed INTERSCHALT Maritime Systems VDR G4e systems and confirm whether firmware is version 5.220 or earlier.
Review the linked US-CERT/ICS advisory for vendor remediation guidance and apply any validated vendor update or mitigation path.
Restrict network exposure to the device and its management interfaces using segmentation and access controls.
Validate that any file-handling code or configuration on the device is not reachable from untrusted users or services.
Monitor for unusual file-access patterns, disclosure of configuration data, or access attempts targeting path components such as traversal sequences.
If you operate a fleet, document affected asset locations and prioritize remediation for internet-facing or cross-zone deployments.

Evidence notes

Source evidence indicates the flaw is a path traversal issue in INTERSCHALT Maritime Systems VDR G4e versions 5.220 and prior, published by CVE/NVD on 2017-02-13. NVD lists CWE-22 and CVSS v3.1 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). References include the CVE record, the NVD detail page, and an ICS-CERT advisory (ICSA-16-343-04). No exploit code, proof-of-concept, or fixed-version information was provided in the supplied corpus.

Official resources

CVE-2016-9339 CVE record
CVE.org
CVE-2016-9339 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource

Publicly disclosed in the CVE/NVD record on 2017-02-13. The supplied corpus includes an ICS-CERT advisory reference (ICSA-16-343-04) and related third-party advisory entries. This debrief does not assert any exploitability beyond the cited,