CVE-2021-33721 — OS Command Injection in Siemens Sinec Network Management System

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

5.1%

top 10.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Sinec Network Management System Siemens Sinec NMS

Timeline

PublishedAug 10

Latest updateMay 24

Description

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The affected application incorrectly neutralizes special elements when creating batch operations which could lead to command injection. An authenticated remote attacker with administrative privileges could exploit this vulnerability to execute arbitrary code on the system with system privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDsiemens/sinec_network_management_system< 1.0+1

▶CVEListV5siemens/sinec_nmsAll versions < V1.0 SP2

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-63f9-382x-9vr8: A vulnerability has been identified in SINEC NMS (All versions < V1↗2022-05-24

▶

CVEList

CVE-2021-33721: A vulnerability has been identified in SINEC NMS (All versions < V1↗2021-08-10

▶