Session Management Flaw in SIMATIC PCS neo and Related Siemens Products
CVE-2024-45386

8.7HIGH

Key Information:

Vendor: Siemens
Status: Simatic Pcs Neo V4.0; Simatic Pcs Neo V4.1; Simatic Pcs Neo V5.0; Simocode Es V19
Vendor: CVE Published:; 11 February 2025

Summary

A session management vulnerability exists in multiple Siemens products, including SIMATIC PCS neo. The issue arises from the failure to properly invalidate user sessions following logout. As a result, remote attackers could potentially exploit this flaw by reusing session tokens collected through unauthorized means, thereby gaining access to user accounts and sensitive information even after legitimate users have logged out.

Affected Version(s)

SIMATIC PCS neo V4.0 0

SIMATIC PCS neo V4.1 0

SIMATIC PCS neo V5.0 0

References

https://cert-portal.siemens.com/productcert/html/ssa-3423...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Aug 28, 2024