CVE-2024-46887

CWE-288 CWE-862 — Missing Authorization3 documents3 sources

Severity

6.9MEDIUM

EPSS

0.2%

top 57.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic Drive Controller CPU 1504d TF Siemens Simatic Drive Controller CPU 1507d TF Siemens Simatic ET 200sp CPU 1510sp-1 PN +84 more

Timeline

PublishedOct 8

Description

The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum communication load.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages87 packages

▶CVEListV5siemens/simatic_s7-plcsim_advanced< V7.0

▶CVEListV5siemens/siplus_s7-1500_cpu_1511-1_pn< V2.9.8

▶CVEListV5siemens/siplus_s7-1500_cpu_1513-1_pn< V2.9.8

▶CVEListV5siemens/simatic_s7-1500_cpu_1511-1_pn< V2.9.8+1

▶CVEListV5siemens/simatic_s7-1500_cpu_1513-1_pn< V2.9.8+1

🔴Vulnerability Details

GHSA

GHSA-5qpf-cx59-xvm8: The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData↗2024-10-08

▶

CVEList

CVE-2024-46887: The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData↗2024-10-08

▶