Local Code Execution Vulnerability in PCS Neo and TIA Portal Products by Siemens
CVE-2020-25238

7.8HIGH

Key Information:

Vendor

Siemens
Status
Pcs Neo (administration Console)
Tia Portal
Vendor
CVE Published:
9 February 2021

What is CVE-2020-25238?

A local code execution vulnerability exists in PCS neo (Administration Console) versions prior to V3.1 and TIA Portal versions V15, V15.1, and V16. By manipulating specific files in designated folders, an attacker with a valid user account and restricted access can exploit this vulnerability to execute code with SYSTEM privileges. This potential exploit poses a significant risk, as it allows unauthorized actions to be performed within the affected systems.

Affected Version(s)

PCS neo (Administration Console) All versions < V3.1

TIA Portal V15, V15.1 and V16

References

https://cert-portal.siemens.com/productcert/pdf/ssa-42805...
x_refsource_MISC
https://www.kb.cert.org/vuls/id/466044
third-party-advisoryx_refsource_CERT-VN
https://us-cert.cisa.gov/ics/advisories/icsa-21-040-05
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.