cbcvebase.
CVE-2022-43724
published 2022-12-13

CVE-2022-43724: A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.62%
45.3th percentile
A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmdshell feature unauthenticated remote attackers could execute custom OS commands. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.

Affected

2 ranges
VendorProductVersion rangeFixed in
siemenssicam_pas_pqs< 7.07.0
siemenssicam_pas_pqs

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for cleartext transmission of SQL server database credentials on the network, which could indicate exploitation of CVE-2022-43724 against SICAM PAS/PQS.
  • Detect or alert on use of xp_cmdshell in SQL Server activity associated with SICAM PAS/PQS, as this feature is enabled by default and is the mechanism for OS command execution post-credential capture.
  • Flag unauthenticated remote connections to the SICAM PAS/PQS SQL server instance, especially from external or unexpected hosts, as exploitation requires no authentication once credentials are sniffed from cleartext traffic.
  • ·xp_cmdshell is enabled by default in the inbuilt SQL server of SICAM PAS/PQS versions prior to V7.0, making OS command execution trivially achievable once credentials are obtained from cleartext traffic. This default-on feature significantly elevates risk.
  • ·All versions of SICAM PAS/PQS prior to V7.0 are affected by the cleartext credential transmission issue (CVE-2022-43724). Versions from V7.0 up to (but not including) V8.06 are affected by related vulnerabilities (CVE-2022-43722, CVE-2022-43723).
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.