Authentication Bypass Vulnerability in Industrial Edge Device Kit by Siemens
CVE-2024-54092

9.3CRITICAL

Key Information:

Vendor: Siemens
Status: Industrial Edge Device Kit - Arm64 V1.17; Industrial Edge Device Kit - Arm64 V1.18; Industrial Edge Device Kit - Arm64 V1.19; Industrial Edge Device Kit - Arm64 V1.20
Vendor: CVE Published:; 8 April 2025

Summary

A security issue exists in the Industrial Edge Device Kit, where devices fail to properly enforce user authentication on certain API endpoints when identity federation is in use. This vulnerability can allow an unauthenticated remote attacker to bypass security measures and impersonate a legitimate user. Successful exploitation necessitates that identity federation is currently or was previously enabled, as well as knowledge of a legitimate user's identity.

Affected Version(s)

Industrial Edge Device Kit - arm64 V1.17 0

Industrial Edge Device Kit - arm64 V1.18 0

Industrial Edge Device Kit - arm64 V1.19 0

References

https://cert-portal.siemens.com/productcert/html/ssa-6346...

https://cert-portal.siemens.com/productcert/html/ssa-8196...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Nov 28, 2024