Deserialization Vulnerability in SIMATIC STEP 7 Safety Could Lead to Arbitrary Code Execution
CVE-2023-32737

6.3MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Step 7 Safety V18
Vendor: CVE Published:; 9 July 2024

Summary

A flaw has been located in SIMATIC STEP 7 Safety V18 versions earlier than V18 Update 2, where the handling of user-controlled input during .NET BinaryFormatter deserialization lacks proper restrictions. This deficiency can enable an attacker to exploit the vulnerability, causing type confusion and potentially leading to execution of arbitrary code within the affected application. Organizations using these versions are advised to evaluate the impact and update to the secure version to mitigate risks.

Affected Version(s)

SIMATIC STEP 7 Safety V18 0

References

https://cert-portal.siemens.com/productcert/html/ssa-3130...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 9, 2024
Vulnerability Reserved
May 12, 2023