CVE-2022-33139Use of Client-Side Authentication in Siemens Cerberus DMS

CWE-603Use of Client-Side AuthenticationCWE-287Improper Authentication3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 38.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Siemens Cerberus DMSSiemens Desigo CCSiemens Desigo CC Compact+4 more
Timeline
PublishedJun 21
Latest updateJun 22

Description

A vulnerability has been identified in Cerberus DMS (All versions), Desigo CC (All versions), Desigo CC Compact (All versions), SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration). Affected applications use client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, atta

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

CVEListV5siemens/simatic_wincc_oa_v3.16All versions in default configuration
CVEListV5siemens/simatic_wincc_oa_v3.17All versions in non-default configuration
CVEListV5siemens/simatic_wincc_oa_v3.18All versions in non-default configuration
CVEListV5siemens/desigo_cc_compactAll versions
NVDsiemens/wincc_open_architecture3.16, 3.17, 3.18+2

🔴Vulnerability Details

2
GHSA
GHSA-28c6-247x-r9mw: A vulnerability has been identified in SIMATIC WinCC OA V32022-06-22
CVEList
CVE-2022-33139: A vulnerability has been identified in Cerberus DMS (All versions), Desigo CC (All versions), Desigo CC Compact (All versions), SIMATIC WinCC OA V32022-06-21
CVE-2022-33139 — Use of Client-Side Authentication | cvebase