Details of VAR-201702-0427

ID

VAR-201702-0427

CVE

CVE-2016-5815

TITLE

Schneider Electric of IONXXXX Series and PM5XXX Vulnerability to Access Device Management Portal in Series Power Meter

Trust: 0.8

sources: JVNDB: JVNDB-2016-007982

DESCRIPTION

An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes. Schneider Electric ION Power Meter is an electrical energy meter. A security bypass vulnerability exists in Schneider Electric ION Series. An attacker could use this vulnerability to bypass certain security mechanisms to perform unauthorized operations

Trust: 2.52

sources: NVD: CVE-2016-5815 // JVNDB: JVNDB-2016-007982 // CNVD: CNVD-2016-10728 // BID: 94091 // VULHUB: VHN-94634

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-10728

AFFECTED PRODUCTS

vendor:	schneider electric	model:	ion7500	scope:	eq	version:	-	Trust: 1.6
vendor:	schneider electric	model:	ion8800	scope:	eq	version:	-	Trust: 1.6
vendor:	schneider electric	model:	ion7600	scope:	eq	version:	-	Trust: 1.6
vendor:	schneider electric	model:	ion8650	scope:	eq	version:	-	Trust: 1.6
vendor:	schneider electric	model:	ion7300	scope:	eq	version:	-	Trust: 1.6
vendor:	schneider electric	model:	ion5000	scope:	eq	version:	-	Trust: 1.6
vendor:	schneider electric	model:	ion73xx	scope:	eq	version:	series	Trust: 0.8
vendor:	schneider electric	model:	ion75xx	scope:	eq	version:	series	Trust: 0.8
vendor:	schneider electric	model:	ion76xx	scope:	eq	version:	series	Trust: 0.8
vendor:	schneider electric	model:	ion8650	scope:	eq	version:	series	Trust: 0.8
vendor:	schneider electric	model:	ion8800	scope:	eq	version:	series	Trust: 0.8
vendor:	schneider electric	model:	pm5xxx	scope:	eq	version:	series	Trust: 0.8
vendor:	schneider	model:	electric ion series	scope:	-	version:	-	Trust: 0.6
vendor:	schneider electric	model:	ionpm5000 power meter	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	ion8800 power meter	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	ion8650 power meter	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	ion7600 power meter	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	ion7500 power meter	scope:	eq	version:	0	Trust: 0.3
vendor:	schneider electric	model:	ion7300 power meter	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2016-10728 // BID: 94091 // JVNDB: JVNDB-2016-007982 // CNNVD: CNNVD-201611-110 // NVD: CVE-2016-5815

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-5815
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-5815
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-10728
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201611-110
value:	HIGH
Trust: 0.6
VULHUB:	VHN-94634
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-5815
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-10728
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-94634
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-5815
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-10728 // VULHUB: VHN-94634 // JVNDB: JVNDB-2016-007982 // CNNVD: CNNVD-201611-110 // NVD: CVE-2016-5815

PROBLEMTYPE DATA

problemtype:

CWE-284

Trust: 1.9

sources: VULHUB: VHN-94634 // JVNDB: JVNDB-2016-007982 // NVD: CVE-2016-5815

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201611-110

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201611-110

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007982

PATCH

title:

SEVD-2016-256-02

url:

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-256-02

Trust: 0.8

sources: JVNDB: JVNDB-2016-007982

EXTERNAL IDS

db:	NVD	id:	CVE-2016-5815	Trust: 3.4
db:	ICS CERT	id:	ICSA-16-308-03	Trust: 2.8
db:	BID	id:	94091	Trust: 2.6
db:	JVNDB	id:	JVNDB-2016-007982	Trust: 0.8
db:	CNNVD	id:	CNNVD-201611-110	Trust: 0.7
db:	CNVD	id:	CNVD-2016-10728	Trust: 0.6
db:	VULHUB	id:	VHN-94634	Trust: 0.1

sources: CNVD: CNVD-2016-10728 // VULHUB: VHN-94634 // BID: 94091 // JVNDB: JVNDB-2016-007982 // CNNVD: CNNVD-201611-110 // NVD: CVE-2016-5815

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-308-03	Trust: 2.8
url:	http://www.securityfocus.com/bid/94091	Trust: 2.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5815	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5815	Trust: 0.8
url:	www.controlmicrosystems.com	Trust: 0.3

sources: CNVD: CNVD-2016-10728 // VULHUB: VHN-94634 // BID: 94091 // JVNDB: JVNDB-2016-007982 // CNNVD: CNNVD-201611-110 // NVD: CVE-2016-5815

CREDITS

Karn Ganeshen.

Trust: 0.9

sources: BID: 94091 // CNNVD: CNNVD-201611-110

SOURCES

db:	CNVD	id:	CNVD-2016-10728
db:	VULHUB	id:	VHN-94634
db:	BID	id:	94091
db:	JVNDB	id:	JVNDB-2016-007982
db:	CNNVD	id:	CNNVD-201611-110
db:	NVD	id:	CVE-2016-5815

LAST UPDATE DATE

2025-04-20T23:26:13.655000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-10728	date:	2016-11-08T00:00:00
db:	VULHUB	id:	VHN-94634	date:	2017-03-14T00:00:00
db:	BID	id:	94091	date:	2016-11-24T01:07:00
db:	JVNDB	id:	JVNDB-2016-007982	date:	2017-04-04T00:00:00
db:	CNNVD	id:	CNNVD-201611-110	date:	2016-11-08T00:00:00
db:	NVD	id:	CVE-2016-5815	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-10728	date:	2016-11-08T00:00:00
db:	VULHUB	id:	VHN-94634	date:	2017-02-13T00:00:00
db:	BID	id:	94091	date:	2016-11-03T00:00:00
db:	JVNDB	id:	JVNDB-2016-007982	date:	2017-04-04T00:00:00
db:	CNNVD	id:	CNNVD-201611-110	date:	2016-11-08T00:00:00
db:	NVD	id:	CVE-2016-5815	date:	2017-02-13T21:59:00.503