PatchSiren cyber security CVE debrief

CVE-2016-9338 Rockwellautomation CVE debrief

CVE-2016-9338 is a low-severity Rockwell Automation controller issue where an authenticated administrator may be able to remove all administrative users. The affected controller still functions as a controller, but the ancillary web server administration function can be lost until a factory reset restores it.

Vendor: Rockwellautomation
Product: CVE-2016-9338
CVSS: LOW 2.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Industrial control system operators, plant engineers, and asset owners running the affected Rockwell Automation Allen-Bradley controllers or related NVD-listed 1766-L32* families should review this issue, especially if the embedded web interface is used for administration.

Technical summary

The NVD record describes an incorrect permission assignment for a critical web-management resource. The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L) indicates network reachability with high privileges required and limited availability impact. The vendor description names MicroLogix 1100 controller models 1763-L16AWA, 1763-L16BBB, 1763-L16BWA, and 1763-L16DWD in Series A/B through version 14.000; the NVD CPE list also includes related 1766-L32* Series A/B devices through version 15.004. The practical effect is loss of ancillary web-server administrative function, not loss of controller operation.

Defensive priority

Low

Recommended defensive actions

Inventory Rockwell Automation controllers and match firmware against the affected model/version ranges in the NVD record.
Restrict administrative access to the controller web interface to trusted management networks and accounts only.
Review the ICS-CERT and vendor guidance linked from the CVE record for any remediation, recovery, or hardening steps.
Prepare and test factory-reset and restoration procedures so web-server management can be recovered quickly if administrative users are removed.
Monitor for unexpected changes to controller administrative accounts and document the normal admin set for each device.

Evidence notes

Public disclosure is dated 2017-02-13 in the supplied CVE/NVD record. The issue description states that users with administrator privileges may remove all administrative users, requiring a factory reset to restore ancillary web server function, while controller operation continues. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L and a low severity score of 2.7. The record was later modified on 2026-05-13, which should not be treated as the original issue date.

Official resources

CVE-2016-9338 CVE record
CVE.org
CVE-2016-9338 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource

Publicly disclosed on 2017-02-13 via the CVE/NVD record and referenced ICS-CERT advisory; the later 2026-05-13 NVD modification does not change the original disclosure date.