Command Injection Vulnerability in SIMATIC Cloud Connect Products by Siemens
CVE-2023-28832

7.2HIGH

Key Information:

Vendor: Siemens
Status: Simatic Cloud Connect 7 Cc712; Simatic Cloud Connect 7 Cc716
Vendor: CVE Published:; 9 May 2023

Summary

A command injection vulnerability has been detected in specific versions of SIMATIC Cloud Connect 7 CC712 and CC716 by Siemens. This issue arises from inadequate user input validation in the web-based management interface. An authenticated attacker with privileged access could exploit this vulnerability to execute arbitrary commands and potentially gain root privileges, significantly compromising the security of the affected devices.

Affected Version(s)

SIMATIC Cloud Connect 7 CC712 All versions >= V2.0 < V2.1

SIMATIC Cloud Connect 7 CC716 All versions >= V2.0 < V2.1

References

https://cert-portal.siemens.com/productcert/pdf/ssa-55529...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2023
Vulnerability Reserved
Mar 24, 2023