Details of VAR-202306-1109

ID

VAR-202306-1109

CVE

CVE-2023-25910

TITLE

Siemens SIMATIC PCS 7 Code injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

DESCRIPTION

A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9.1 SP2 UC04), SIMATIC S7-PM (All versions < V5.7 SP1 HF1), SIMATIC S7-PM (All versions < V5.7 SP2 HF1), SIMATIC STEP 7 V5 (All versions < V5.7). The affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code with elevated privileges in the database management system's server

Trust: 0.99

sources: NVD: CVE-2023-25910 // VULMON: CVE-2023-25910

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic pcs 7	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic s7-pm	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	simatic step 7	scope:	lt	version:	5.7	Trust: 1.0

sources: NVD: CVE-2023-25910

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-25910
value:	HIGH
Trust: 1.0
productcert@siemens.com:	CVE-2023-25910
value:	CRITICAL
Trust: 1.0
CNNVD:	CNNVD-202306-934
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2023-25910
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
productcert@siemens.com:	CVE-2023-25910
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: CNNVD: CNNVD-202306-934 // NVD: CVE-2023-25910 // NVD: CVE-2023-25910

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.0

sources: NVD: CVE-2023-25910

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

PATCH

title:

Siemens SIMATIC PCS 7 Fixes for code injection vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=242374

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

EXTERNAL IDS

db:	SIEMENS	id:	SSA-968170	Trust: 1.7
db:	NVD	id:	CVE-2023-25910	Trust: 1.7
db:	CNNVD	id:	CNNVD-202306-934	Trust: 0.6
db:	VULMON	id:	CVE-2023-25910	Trust: 0.1

sources: VULMON: CVE-2023-25910 // CNNVD: CNNVD-202306-934 // NVD: CVE-2023-25910

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-968170.pdf	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/html/ssa-968170.html	Trust: 1.0
url:	https://cxsecurity.com/cveshow/cve-2023-25910/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-25910 // CNNVD: CNNVD-202306-934 // NVD: CVE-2023-25910

SOURCES

db:	VULMON	id:	CVE-2023-25910
db:	CNNVD	id:	CNNVD-202306-934
db:	NVD	id:	CVE-2023-25910

LAST UPDATE DATE

2024-08-14T14:49:01.993000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-25910	date:	2023-06-13T00:00:00
db:	CNNVD	id:	CNNVD-202306-934	date:	2023-06-21T00:00:00
db:	NVD	id:	CVE-2023-25910	date:	2024-05-14T16:15:28.993

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-25910	date:	2023-06-13T00:00:00
db:	CNNVD	id:	CNNVD-202306-934	date:	2023-06-13T00:00:00
db:	NVD	id:	CVE-2023-25910	date:	2023-06-13T09:15:16.280