CVE-2023-30897

CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

7.8HIGH

EPSS

0.1%

top 78.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Wincc Siemens Simatic Wincc

Timeline

PublishedJun 13

Description

A vulnerability has been identified in SIMATIC WinCC (All versions < V7.5.2.13). Affected applications fail to set proper access rights for their installation folder if a non-default installation path was chosen during installation. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5siemens/simatic_winccAll versions < V7.5.2.13

▶NVDsiemens/wincc< 7.5.2.13

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-chm6-c3vh-vvc3: A vulnerability has been identified in SIMATIC WinCC (All versions < V7↗2023-06-13

▶

CVEList

CVE-2023-30897: A vulnerability has been identified in SIMATIC WinCC (All versions < V7↗2023-06-13

▶