Arbitrary Code Execution Vulnerability in Siemens SIMATIC Products
CVE-2019-10922

9.8CRITICAL

Key Information:

Vendor: Siemens Ag
Status: Simatic Pcs 7 V8.0 And Earlier; Simatic Pcs 7 V8.1 And Newer; Simatic Wincc V7.2 And Earlier; Simatic Wincc V7.3 And Newer
Vendor: CVE Published:; 14 May 2019

Summary

An identified vulnerability in Siemens SIMATIC PCS 7 and WinCC products allows an attacker with network access to execute arbitrary code on affected systems. This particularly impacts installations not configured for encrypted communication, enabling unauthorized, unauthenticated access that potentially compromises the integrity, confidentiality, and availability of the device. Mitigations should be implemented to secure affected installations from this risk.

Affected Version(s)

SIMATIC PCS 7 V8.0 and earlier All versions

SIMATIC PCS 7 V8.1 and newer All versions

SIMATIC WinCC V7.2 and earlier All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-70551...

x_refsource_MISC

http://www.securityfocus.com/bid/108398

vdb-entryx_refsource_BID

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2019
Vulnerability Reserved
Apr 8, 2019