Deserialization Vulnerability in SIMATIC STEP 7 Safety Could Lead to Arbitrary Code Execution
CVE-2023-32737

7HIGH

Key Information:

Vendor: Siemens
Status: Simatic Step 7 Safety V18
Vendor: CVE Published:; 9 July 2024

What is CVE-2023-32737?

A flaw has been located in SIMATIC STEP 7 Safety V18 versions earlier than V18 Update 2, where the handling of user-controlled input during .NET BinaryFormatter deserialization lacks proper restrictions. This deficiency can enable an attacker to exploit the vulnerability, causing type confusion and potentially leading to execution of arbitrary code within the affected application. Organizations using these versions are advised to evaluate the impact and update to the secure version to mitigate risks.

Affected Version(s)

SIMATIC STEP 7 Safety V18 0

References

https://cert-portal.siemens.com/productcert/html/ssa-3130...

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2024
Vulnerability Reserved
May 12, 2023

Siemens

What is CVE-2023-32737?

Affected Version(s)

References

CVSS V4

Timeline