CVE-2023-32737Deserialization of Untrusted Data in Siemens Simatic Step 7 Safety V18

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
7.0HIGHNVD
EPSS
0.1%
top 82.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Siemens Simatic Step 7 Safety V18
Timeline
PublishedJul 9

Description

A vulnerability has been identified in SIMATIC STEP 7 Safety V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5siemens/simatic_step_7_safety_v18< V18 Update 2

🔴Vulnerability Details

2
CVEList
CVE-2023-32737: A vulnerability has been identified in SIMATIC STEP 7 Safety V18 (All versions < V18 Update 2)2024-07-09
GHSA
GHSA-v9r2-vfw5-q6j9: A vulnerability has been identified in SIMATIC STEP 7 Safety V18 (All versions < V18 Update 2)2024-07-09
CVE-2023-32737 — Deserialization of Untrusted Data | cvebase