Remote Code Execution Vulnerability in POWER METER Products by Siemens
CVE-2022-43545

9.9CRITICAL

Key Information:

Vendor: Siemens
Status: Power Meter Sicam Q100; Sicam P850; Sicam P855
Vendor: CVE Published:; 8 November 2022

Summary

A vulnerability exists in the POWER METER SICAM Q200 family and SICAM P850/P855 products, where affected devices fail to properly validate the RecordType parameter in requests sent to its web interface via port 443/tcp. This flaw may allow an authenticated remote attacker to crash the device, causing it to reboot, or even execute arbitrary code. Users are urged to upgrade to the latest versions to mitigate potential risks.

Affected Version(s)

POWER METER SICAM Q100 All versions < V2.50

References

https://cert-portal.siemens.com/productcert/pdf/ssa-57200...

https://cert-portal.siemens.com/productcert/pdf/ssa-57029...

https://cert-portal.siemens.com/productcert/pdf/ssa-88724...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 8, 2022
Vulnerability Reserved
Oct 20, 2022