Insecure Deserialization Vulnerability in SINEC NMS and SINEMA Server
CVE-2022-24282

7.2HIGH

Key Information:

Vendor: Siemens
Status: Sinec Nms; Sinema Server V14
Vendor: CVE Published:; 8 March 2022

Summary

A vulnerability exists in the SINEC NMS and SINEMA Server that allows unauthorized users to upload malicious JSON objects. This insecure deserialization could enable an attacker to send a specially crafted serialized Java object, leading to arbitrary code execution with root privileges on affected devices. It’s critical for users to assess their implementations and update to mitigate the risk of exploitation.

Affected Version(s)

SINEC NMS All versions >= V1.0.3 < V2.0

SINEC NMS All versions < V1.0.3

SINEMA Server V14 All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-25008...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 8, 2022
Vulnerability Reserved
Jan 31, 2022