Password Authentication Flaw in Desigo DXR2 and PXC Series by Siemens
CVE-2022-24044

7.5HIGH

Key Information:

Vendor: Siemens
Status: Desigo Dxr2; Desigo Pxc3; Desigo Pxc4; Desigo Pxc5
Vendor: CVE Published:; 20 May 2022

Summary

A critical vulnerability in multiple Desigo products from Siemens allows attackers to exploit weak authentication mechanisms. The affected versions of Desigo DXR2 and PXC series lack adequate protections against Password Spraying and Credential Stuffing attacks. An attacker can potentially identify valid usernames and then gain unauthorized access to accounts by executing targeted login attempts. This poses a significant threat to the security of systems using these products, enabling potential breaches and unauthorized control.

Affected Version(s)

Desigo DXR2 All versions < V01.21.142.5-22

Desigo PXC3 All versions < V01.21.142.4-18

Desigo PXC4 All versions < V02.20.142.10-10884

References

https://cert-portal.siemens.com/productcert/pdf/ssa-62696...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 20, 2022
Vulnerability Reserved
Jan 27, 2022