Cyber Resilience

CVE-2016-4523

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 June 2016

Published
09 June 2016
Modified
22 April 2026
KEV Added
15 April 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.6543 98.5th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-4523 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Trihedral Vtscada. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an out-of-bounds read (CWE-125) in the WAP interface of Trihedral VTScada (formerly VTS) versions 8.x through 11.x prior to 11.2.02. It is rated 7.5 on CVSS 3.1 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and can trigger an application crash.

Remote unauthenticated attackers can exploit the flaw over the network to cause a denial of service. The attack requires no user interaction and results only in loss of availability with no impact on confidentiality or integrity.

Public references include ICS-CERT advisory ICSA-16-159-01 and Zero Day Initiative advisory ZDI-16-405, which direct users to vendor updates addressing the issue. No information on observed in-the-wild exploitation is provided in the source data.

EU & UK References

Vulnerability details

The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via unspecified vectors.

CWE(s)
KEV Date Added
15 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trihedral
vtscada
8.0.05 — 11.2.02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (11.2.02) that eliminates the out-of-bounds read in the WAP interface.

prevent

Mandates validation of all input to the WAP interface, blocking the malformed data that triggers the CWE-125 out-of-bounds read and crash.

prevent

Requires mechanisms to protect against or limit denial-of-service effects from network requests targeting the vulnerable WAP interface.

References