CVE-2022-45147Deserialization of Untrusted Data in Siemens Simatic PCS NEO V4.0

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
8.5HIGHNVD
EPSS
0.1%
top 73.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Siemens Simatic PCS NEO V4.0Siemens Simatic Step 7 V16Siemens Simatic Step 7 V17+1 more
Timeline
PublishedJul 9

Description

A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC STEP 7 V16 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5siemens/simatic_step_7_v18< V18 Update 2

🔴Vulnerability Details

2
CVEList
CVE-2022-45147: A vulnerability has been identified in SIMATIC PCS neo V42024-07-09
GHSA
GHSA-mrhc-f9rh-fm9r: A vulnerability has been identified in SIMATIC PCS neo V42024-07-09
CVE-2022-45147 — Deserialization of Untrusted Data | cvebase