Serielization Vulnerability in TeleControl Server Basic Could Allow Arbitrary Code Execution
CVE-2024-44102

10CRITICAL

Key Information:

Vendor: Siemens
Status: Pp Telecontrol Server Basic 1000 To 5000 V3.1; Pp Telecontrol Server Basic 256 To 1000 V3.1; Pp Telecontrol Server Basic 32 To 64 V3.1; Pp Telecontrol Server Basic 64 To 256 V3.1
Vendor: CVE Published:; 12 November 2024

Summary

A vulnerability in Siemens TeleControl Server products has been identified that allows remote attackers to exploit insecure deserialization mechanisms. Specifically, all versions of the TeleControl Server Basic products (Basic 8 to 5000 V3.1) and related upgrades that are below version V3.1.2.1, when configured with redundancy, are affected. An unauthenticated attacker can send specially crafted serialized objects to the affected systems, potentially leading to arbitrary code execution with SYSTEM privileges. This presents a significant security risk, necessitating immediate action to protect deployed systems.

Affected Version(s)

PP TeleControl Server Basic 1000 to 5000 V3.1 0

PP TeleControl Server Basic 256 to 1000 V3.1 0

PP TeleControl Server Basic 32 to 64 V3.1 0

References

https://cert-portal.siemens.com/productcert/html/ssa-4547...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 12, 2024
Vulnerability Reserved
Aug 20, 2024