A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM and the iStar Ultra is encrypted using a fixed AES key and IV. Each message is encrypted in CBC mode and restarts with the fixed IV, leading to replay attacks of entire messages. There is no authentication of messages beyond the use of the fixed AES key, so message forgery is also possible.
Conclusion & alert: CVE-2017-17704 is rated Moderate Risk (50.7/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.99%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.15% | 0.99% | +0.84% |
| 2 | 2025-03-30 | 0.10% | 0.15% | +0.05% |
| 3 | 2023-03-07 | — | 0.10% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.4 | 3.0 | HIGH |
|
2.2 | 5.2 | [email protected] |
| 5.8 | 2.0 | MEDIUM |
|
8.6 | 4.9 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| swhouse | istar_ultra_firmware | <= 6.5.2.20569 | cpe:2.3:o:swhouse:istar_ultra_firmware:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://systemoverlord.com/2017/12/18/cve-2017-17704-broken-cryptography-in-istar-ultra-ip-acm-by-software-house.html | Third Party Advisory |