PatchSiren cyber security CVE debrief
CVE-2016-10224 Sauter Controls CVE debrief
CVE-2016-10224 describes a weakness in Sauter NovaWeb web HMI where a protection mechanism depends on a cookie, but the application does not properly verify that the cookie is valid for the associated user. In practical terms, this is an access-control and authentication-strength issue: if the cookie is accepted without sufficient user binding, the protection can be undermined. NVD classifies the issue as high severity (CVSS 7.2) and maps it to CWE-254. The published record and the referenced ICS-CERT advisory indicate this should be treated as a defensive hardening and validation problem rather than a code-execution bug.
- Vendor
- Sauter Controls
- Product
- CVE-2016-10224
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Operators and maintainers of Sauter NovaWeb web HMI deployments, OT/ICS security teams, system integrators, and anyone responsible for authentication, session handling, or remote access controls around the HMI.
Technical summary
The vulnerability is a cookie-validation flaw in the web HMI’s protection mechanism. According to the supplied NVD description, the application relies on the existence or value of a cookie, but does not properly ensure that the cookie is valid for the associated user. NVD’s CVSS 3.1 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, which signals network reachability with high privileges required and potentially severe confidentiality, integrity, and availability impact if the control is bypassed. The weakness is categorized as CWE-254 in the supplied record.
Defensive priority
High for any exposed or remotely accessible NovaWeb web HMI deployment; lower only if access is tightly restricted and the environment is already hardened. The combination of network reachability and strong potential impact makes this worth prompt review even though the attacker is expected to have high privileges.
Recommended defensive actions
- Review all authentication and session-handling paths in NovaWeb web HMI for cookie binding to the correct authenticated user.
- Ensure cookies used for protection are not accepted solely on presence or value; validate user association and session integrity server-side.
- Restrict administrative and HMI access to trusted networks, jump hosts, and strong authenticated channels.
- Audit for any custom integrations, proxies, or reverse-engineering workarounds that might weaken cookie/session checks.
- Monitor logs for unexpected session reuse, anomalous authentication patterns, or access to protected functions without normal user flow.
- Use the referenced ICS-CERT advisory and the NVD record to confirm any vendor mitigation guidance and deployment-specific compensating controls.
Evidence notes
This debrief is based only on the supplied corpus: the NVD CVE record, the CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), the CWE-254 classification, the NVD description of improper cookie-to-user validation, and the linked ICS-CERT advisory reference (ICSA-16-343-02). No affected version range was provided in the supplied data beyond a wildcard CPE for Sauter NovaWeb web HMI.
Official resources
-
CVE-2016-10224 CVE record
CVE.org
-
CVE-2016-10224 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Third Party Advisory, US Government Resource
The CVE was published by the official record on 2017-02-13 and later modified on 2026-05-13. The supplied references point to an ICS-CERT advisory for mitigation context.