PatchSiren cyber security CVE debrief

CVE-2017-5136 Sendquick CVE debrief

CVE-2017-5136 is a high-severity authorization flaw affecting SendQuick Entera and Avera devices before 2HF16. The application failed to verify access control on a request, which could allow an attacker to trigger a system shutdown. Because the issue is network-reachable and does not require user interaction or privileges, it is primarily an availability risk for exposed appliances.

Vendor: Sendquick
Product: CVE-2017-5136
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-05
Original CVE updated: 2026-05-13
Advisory published: 2017-02-05
Advisory updated: 2026-05-13

Who should care

Organizations that operate SendQuick Entera or Avera SMS gateway appliances, especially any deployment running firmware or software earlier than 2HF16. Network defenders, appliance administrators, and incident responders should treat externally reachable management or application interfaces as the most urgent exposure points.

Technical summary

NVD classifies the weakness as CWE-862 (Missing Authorization). The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-accessible issue with no privileges or user interaction required and high availability impact. The affected CPEs in the source record point to SendQuick Entera SMS Gateway firmware and SendQuick Avera SMS Gateway firmware. The reported consequence is an attacker being able to shut down the system by sending a request that the application should have rejected.

Defensive priority

High. The issue is simple to reach, requires no authentication, and directly affects service availability. If these appliances are exposed to untrusted networks, prioritize containment and remediation quickly.

Recommended defensive actions

Identify any SendQuick Entera and Avera devices in scope, and verify whether they are running versions before 2HF16.
Restrict network access to appliance management or application interfaces until remediation is confirmed.
Apply the vendor's fixed release or remediation for versions at or after 2HF16 if available for your deployment.
Monitor for unexpected shutdown events or administrative request patterns targeting these devices.
If immediate patching is not possible, isolate the appliance on a trusted management network and limit access to known administrators only.

Evidence notes

The debrief is based on the NVD record for CVE-2017-5136 and its referenced third-party advisory entries. The source description states that SendQuick Entera and Avera devices before 2HF16 failed to check request access control and could be shut down by an attacker. NVD assigns CWE-862 and CVSS v3.0 7.5 HIGH with an availability-only impact profile. No KEV listing is present in the supplied corpus.

Official resources

CVE-2017-5136 CVE record
CVE.org
CVE-2017-5136 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, URL Repurposed

Publicly disclosed in the CVE record on 2017-02-05. The supplied source corpus later shows an NVD modification timestamp of 2026-05-13, which should not be treated as the vulnerability's issue date.