CVE-2023-25910 — Code Injection in Siemens Simatic PCS 7

CWE-94 — Code Injection3 documents3 sources

Severity

8.8HIGHNVD

CNA10.0

EPSS

1.1%

top 22.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic PCS 7 Siemens Simatic S7-pm Siemens Simatic Step 7 V5 +1 more

Timeline

PublishedJun 13

Description

A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9.1 SP2 UC04), SIMATIC S7-PM (All versions < V5.7 SP1 HF1), SIMATIC S7-PM (All versions < V5.7 SP2 HF1), SIMATIC STEP 7 V5 (All versions < V5.7). The affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDsiemens/simatic_step_7< 5.7

▶CVEListV5siemens/simatic_step_7_v5< V5.7

▶CVEListV5siemens/simatic_pcs_7< V9.1 SP2 UC04

▶CVEListV5siemens/simatic_s7-pm< V5.7 SP1 HF1+1

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-5wm3-c83x-cqpq: A vulnerability has been identified in SIMATIC PCS 7 (All versions), SIMATIC S7-PM (All versions), SIMATIC STEP 7 V5 (All versions < V5↗2023-06-13

▶

CVEList

CVE-2023-25910: A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9↗2023-06-13

▶