Code Injection Vulnerability in Siemens SIMATIC WinCC and PCS 7 Products
CVE-2019-10935

7.2HIGH

Key Information:

Vendor: Siemens Ag
Status: Simatic Pcs 7 V8.0 And Earlier; Simatic Pcs 7 V8.1; Simatic Pcs 7 V8.2; Simatic Pcs 7 V9.0
Vendor: CVE Published:; 11 July 2019

Summary

A vulnerability in various Siemens SIMATIC WinCC and PCS 7 products allows authenticated attackers to upload arbitrary ASPX code via the WinCC DataMonitor web application. This security issue necessitates network access but does not require user interaction, thereby posing a significant risk to the confidentiality, integrity, and availability of the affected systems. No public exploitation has been reported as of the advisory's release.

Affected Version(s)

SIMATIC PCS 7 V8.0 and earlier All versions

SIMATIC PCS 7 V8.1 All versions < V8.1 with WinCC V7.3 Upd 19

SIMATIC PCS 7 V8.2 All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 11

References

https://cert-portal.siemens.com/productcert/pdf/ssa-12129...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 11, 2019
Vulnerability Reserved
Apr 8, 2019