Data Transmission Vulnerability in Climatix POL909 by Siemens
CVE-2021-40366

7.4HIGH

Key Information:

Vendor: Siemens
Status: Climatix Pol909 (awb Module); Climatix Pol909 (awm Module)
Vendor: CVE Published:; 9 November 2021

Summary

A vulnerability exists in the Climatix POL909 devices where the web server transmits sensitive data, including administrator credentials, without TLS encryption. This exposes the data to potential interception and alteration by unauthenticated remote attackers positioned in a man-in-the-middle attack scenario, compromising the integrity and confidentiality of the communication.

Affected Version(s)

Climatix POL909 (AWB module) All versions < V11.42

Climatix POL909 (AWM module) All versions < V11.34

References

https://cert-portal.siemens.com/productcert/pdf/ssa-70371...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 9, 2021
Vulnerability Reserved
Sep 1, 2021