Session Hijacking Vulnerability in Siemens SIMATIC MV Series
CVE-2022-33137

8HIGH

Key Information:

Vendor: Siemens
Status: Simatic Mv540 H; Simatic Mv540 S; Simatic Mv550 H; Simatic Mv550 S
Vendor: CVE Published:; 12 July 2022

Summary

A vulnerability in the web session management of the Siemens SIMATIC MV series devices allows an authenticated remote attacker to hijack the sessions of other users. This issue occurs because the session identifiers are not properly invalidated in certain logout scenarios, posing a significant risk to user account safety. Affected versions include all versions of SIMATIC MV540 H, MV540 S, MV550 H, MV550 S, MV560 U, and MV560 X prior to V3.3.

Affected Version(s)

SIMATIC MV540 H All versions < V3.3

SIMATIC MV540 S All versions < V3.3

SIMATIC MV550 H All versions < V3.3

References

https://cert-portal.siemens.com/productcert/pdf/ssa-34866...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2022
Vulnerability Reserved
Jun 13, 2022