PatchSiren cyber security CVE debrief
CVE-2017-5137 Sendquick CVE debrief
CVE-2017-5137 is an information disclosure issue affecting SendQuick Entera and Avera devices before 2HF16. According to NVD, an attacker could request and download SMS logs from an unauthenticated perspective, which could expose sensitive message content and related metadata. The CVE was published on 2017-02-05 and later modified in NVD on 2026-05-13.
- Vendor
- Sendquick
- Product
- CVE-2017-5137
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-05
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-05
- Advisory updated
- 2026-05-13
Who should care
Administrators of SendQuick Entera and Avera SMS gateway appliances, security operations teams, and organizations that store sensitive or regulated communications in SMS logs should pay attention, especially if the devices are reachable from untrusted networks.
Technical summary
The supplied NVD record describes unauthenticated access to SMS logs on SendQuick Entera and Avera firmware before 2HF16. NVD maps the issue to CWE-532. The recorded CVSS score is 6.2 (Medium), with confidentiality impact as the primary concern and no integrity or availability impact noted. The source CVSS vector is provided as CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N; this debrief preserves the source data as supplied.
Defensive priority
Medium-high. This is not code execution, but it can expose sensitive SMS contents and operational metadata without authentication. Prioritize if the appliances are internet-facing, contain customer or compliance-sensitive messages, or are used in regulated environments.
Recommended defensive actions
- Upgrade affected SendQuick Entera and Avera devices to 2HF16 or later, or otherwise apply the vendor-fixed version identified for the appliance in use.
- Restrict or eliminate unauthenticated access paths to any SMS log retrieval function.
- Verify that access controls, authentication, and authorization are enforced on all administrative and log-download interfaces.
- Review whether SMS logs were exposed historically and assess whether any sensitive data, credentials, or tokens were recorded there.
- Check for suspicious or unexpected log-download activity and preserve audit records for investigation.
- Inventory deployed firmware versions and confirm which devices match the affected CPEs in the NVD record.
- Purge or rotate any sensitive material that may have been exposed through logs, and consider retention minimization for future logs.
Evidence notes
The debrief is based on the CVE description and NVD metadata in the supplied corpus. Key evidence includes: affected SendQuick Entera and Avera devices before 2HF16; unauthenticated request/download of SMS logs; NVD CWE-532 mapping; CVSS 6.2 Medium; and the listed CPE firmware entries for SendQuick Entera and Avera SMS gateway firmware. References in the corpus point to NVD/CVE records plus third-party advisory pages (SecurityFocus BID 96031 and a Niantech blog post). No exploit instructions or unsupported claims are included.
Official resources
-
CVE-2017-5137 CVE record
CVE.org
-
CVE-2017-5137 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, URL Repurposed
Public CVE publication date: 2017-02-05. NVD record modified on 2026-05-13. Use the published date for issue timing; the later modified date reflects record maintenance, not the vulnerability's original disclosure.