DLL Injection Vulnerability in DIGSI 4 by Siemens
CVE-2020-25245

7.8HIGH

Key Information:

Vendor: Siemens
Status: Digsi 4
Vendor: CVE Published:; 9 February 2021

What is CVE-2020-25245?

A security vulnerability has been discovered in DIGSI 4, whereby multiple folders in the system path are accessible for writing by standard users. This misconfiguration allows an attacker to place malicious DLL files in these directories. When the affected application searches for dynamic-link libraries (DLLs), it may inadvertently execute these unauthorized files under the security context of the SYSTEM account, leading to potential unauthorized access and system compromise.

Affected Version(s)

DIGSI 4 All versions < V4.94 SP1 HF 1

References

https://cert-portal.siemens.com/productcert/pdf/ssa-53631...

x_refsource_MISC

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-10

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2021
Vulnerability Reserved
Sep 10, 2020