CVE-2023-28832 — Command Injection in Siemens Simatic Cloud Connect 7 Cc712

CWE-77 — Command Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

1.1%

top 22.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic Cloud Connect 7 Cc712 Siemens Simatic Cloud Connect 7 Cc716 Siemens 6gk1411-1ac00 Firmware +1 more

Timeline

PublishedMay 9

Description

A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2.0 = V2.0 < V2.1). The web based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5siemens/simatic_cloud_connect_7_cc712All versions >= V2.0 < V2.1

▶CVEListV5siemens/simatic_cloud_connect_7_cc716All versions >= V2.0 < V2.1

▶NVDsiemens/6gk1411-1ac00_firmware2.0

▶NVDsiemens/6gk1411-5ac00_firmware2.0

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-28832: A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2↗2023-05-09

▶

GHSA

GHSA-p96q-9p2w-4j2c: A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2↗2023-05-09

▶