CVE-2016-5813 Visonic CVE debrief

Who should care

Organizations that deploy or support Visonic PowerLink2 devices, especially security integrators, facility operators, and teams responsible for embedded or industrial-style networked equipment should review exposure and firmware status.

Technical summary

NVD classifies the weakness as CWE-200 (Information Exposure) with CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The reported behavior is that a specific image URL returns downloaded content that includes source code used in the device web server. That means remote, unauthenticated access may reveal implementation details that are not meant to be exposed, but the supplied record does not indicate integrity or availability impact.

Defensive priority

Moderate. The issue is easy to reach over the network and exposes source code, but the supplied record indicates confidentiality impact only and no evidence of code execution or service disruption.

Recommended defensive actions

• Upgrade Visonic PowerLink2 firmware to the October 2016 release or later, as described in the vulnerability summary.
• Restrict network access to the device management interface so only trusted administrators can reach it.
• Inventory deployed PowerLink2 devices and verify whether any remain on firmware versions prior to the October 2016 release.
• Review exposed web content and logs for unexpected requests to image or related URLs.
• Consult the US-CERT/ICS advisory and the NVD record for any vendor-specific remediation guidance.

Evidence notes

The CVE description states that when a specific URL to an image is accessed, the downloaded image carries source code used in the web server. NVD maps the weakness to CWE-200 and assigns CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The affected scope in the supplied record is Visonic PowerLink2 firmware versions prior to the October 2016 release.

Official resources