cbcvebase.
CVE-2019-10939
published 2020-04-14

CVE-2019-10939: A vulnerability has been identified in TIM 3V-IE (incl. SIPLUS NET variants) (All versions < V2.8), TIM 3V-IE Advanced (incl. SIPLUS NET variants) (All…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.12%
62.0th percentile
A vulnerability has been identified in TIM 3V-IE (incl. SIPLUS NET variants) (All versions < V2.8), TIM 3V-IE Advanced (incl. SIPLUS NET variants) (All versions < V2.8), TIM 3V-IE DNP3 (incl. SIPLUS NET variants) (All versions < V3.3), TIM 4R-IE (incl. SIPLUS NET variants) (All versions < V2.8), TIM 4R-IE DNP3 (incl. SIPLUS NET variants) (All versions < V3.3). The affected versions contain an open debug port that is available under certain specific conditions. The vulnerability is only available if the IP address is configured to 192.168.1.2. If available, the debug port could be exploited by an attacker with network access to the device. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device. At the stage of publishing this security advisory no public exploitation is known.

Affected

10 ranges
VendorProductVersion rangeFixed in
siemenstim_3v-ie_advanced_firmware< 2.82.8
siemenstim_3v-ie_dnp3_firmware< 2.82.8
siemenstim_3v-ie_firmware< 2.82.8
siemenstim_4r-ie_dnp3_firmware< 3.33.3
siemenstim_4r-ie_firmware< 3.33.3
siemens_agtim_3v-ie
siemens_agtim_3v-ie_advanced
siemens_agtim_3v-ie_dnp3
siemens_agtim_4r-ie
siemens_agtim_4r-ie_dnp3

Detection & IOCsextracted from sources · hover to see the quote

port17185/UDP
  • The debug port is only exposed when the device IP is configured to exactly 192.168.1.2 — scan/monitor for TIM 3V-IE or 4R-IE devices with this IP address as a high-priority indicator of exploitability.
  • Monitor and alert on inbound/outbound traffic to UDP port 17185 on affected Siemens TIM devices; unexpected traffic to this port may indicate exploitation attempts.
  • Exploitation requires no user interaction and no prior authentication — any network-originated connection to the debug port from an unauthenticated source should be treated as a high-severity alert.
  • ·The vulnerability is ONLY triggerable when the device IP is set to 192.168.1.2 — devices configured with any other IP address are not exposed to this debug port.
  • ·High skill level is required to exploit this vulnerability despite no authentication being needed; no public exploits were known at time of advisory publication.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.