SQL Server Credential Exposure in Siemens SICAM PAS/PQS Products
CVE-2022-43724

9.8CRITICAL

Key Information:

Vendor: Siemens
Status: Sicam Pas/pqs
Vendor: CVE Published:; 13 December 2022

Summary

A vulnerability exists in Siemens SICAM PAS/PQS where database credentials for the integrated SQL server are transmitted in cleartext. This issue, combined with the default enabled xp_cmdshell functionality, allows unauthenticated remote attackers to execute arbitrary operating system commands, posing a significant risk to system integrity and data security. It is essential for users operating on affected versions to upgrade to versions V7.0 or later to mitigate this risk.

Affected Version(s)

SICAM PAS/PQS All versions < V7.0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-84907...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 13, 2022
Vulnerability Reserved
Oct 24, 2022