ID

VAR-202306-1109


CVE

CVE-2023-25910


TITLE

Siemens SIMATIC PCS 7 Code injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

DESCRIPTION

A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9.1 SP2 UC04), SIMATIC S7-PM (All versions < V5.7 SP1 HF1), SIMATIC S7-PM (All versions < V5.7 SP2 HF1), SIMATIC STEP 7 V5 (All versions < V5.7). The affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code with elevated privileges in the database management system's server

Trust: 0.99

sources: NVD: CVE-2023-25910 // VULMON: CVE-2023-25910

AFFECTED PRODUCTS

vendor:siemensmodel:simatic pcs 7scope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic s7-pmscope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic step 7scope:ltversion:5.7

Trust: 1.0

sources: NVD: CVE-2023-25910

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-25910
value: HIGH

Trust: 1.0

productcert@siemens.com: CVE-2023-25910
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-202306-934
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2023-25910
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

productcert@siemens.com: CVE-2023-25910
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 1.0

sources: CNNVD: CNNVD-202306-934 // NVD: CVE-2023-25910 // NVD: CVE-2023-25910

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.0

sources: NVD: CVE-2023-25910

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

PATCH

title:Siemens SIMATIC PCS 7 Fixes for code injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=242374

Trust: 0.6

sources: CNNVD: CNNVD-202306-934

EXTERNAL IDS

db:SIEMENSid:SSA-968170

Trust: 1.7

db:NVDid:CVE-2023-25910

Trust: 1.7

db:CNNVDid:CNNVD-202306-934

Trust: 0.6

db:VULMONid:CVE-2023-25910

Trust: 0.1

sources: VULMON: CVE-2023-25910 // CNNVD: CNNVD-202306-934 // NVD: CVE-2023-25910

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-968170.pdf

Trust: 1.7

url:https://cert-portal.siemens.com/productcert/html/ssa-968170.html

Trust: 1.0

url:https://cxsecurity.com/cveshow/cve-2023-25910/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2023-25910 // CNNVD: CNNVD-202306-934 // NVD: CVE-2023-25910

SOURCES

db:VULMONid:CVE-2023-25910
db:CNNVDid:CNNVD-202306-934
db:NVDid:CVE-2023-25910

LAST UPDATE DATE

2024-08-14T14:49:01.993000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-25910date:2023-06-13T00:00:00
db:CNNVDid:CNNVD-202306-934date:2023-06-21T00:00:00
db:NVDid:CVE-2023-25910date:2024-05-14T16:15:28.993

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-25910date:2023-06-13T00:00:00
db:CNNVDid:CNNVD-202306-934date:2023-06-13T00:00:00
db:NVDid:CVE-2023-25910date:2023-06-13T09:15:16.280