CVE-2020-25238 — Improper Access Control in Siemens Simatic Process Control System NEO

CWE-284 — Improper Access Control CWE-427 — Uncontrolled Search Path Element3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 69.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic Process Control System NEO Siemens PCS NEO Siemens TIA Portal +1 more

Timeline

PublishedFeb 9

Latest updateMay 24

Description

A vulnerability has been identified in PCS neo (Administration Console) (All versions < V3.1), TIA Portal (V15, V15.1 and V16). Manipulating certain files in specific folders could allow a local attacker to execute code with SYSTEM privileges. The security vulnerability could be exploited by an attacker with a valid account and limited access rights on the system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDsiemens/simatic_process_control_system_neo< 3.1

▶CVEListV5siemens/tia_portalV15, V15.1 and V16

▶NVDsiemens/totally_integrated_automation_portal15, 15.1, 16+2

▶CVEListV5siemens/pcs_neoAll versions < V3.1

🔴Vulnerability Details

GHSA

GHSA-xj9q-pj74-p2j4: A vulnerability has been identified in PCS neo (Administration Console) (V3↗2022-05-24

▶

CVEList

CVE-2020-25238: A vulnerability has been identified in PCS neo (Administration Console) (All versions < V3↗2021-02-09

▶