ICS-CERT released eight advisories addressing several vulnerabilities in Siemens products to address several vulnerabilities, many of which could be exploited remotely.
The vulnerabilities consisted of improper access control flaws, improper input validation, code injection, cross-site scripting, resource exhaustion, unprotected storage of credentials, improper authentication, path traversal, and open redirect vulnerabilities.
The vulnerabilities are in various Siemens equipment including the firm’s SIMATIC Panels, SIMATIC WinCC, SCALANCE S, SIMATIC S7, SIMATIC STEP 7, and SIMATIC IT Production Suite products, respectively.
An improper access control flaw affecting the IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products could allow a remote attacker to exfiltrate limited data from the system or execute code with operating system user permissions and a cross-site scripting flaw in the firms SCALANCE S product could allow arbitrary script injection.
Updates have been released and researchers recommend users update these products to their latest version to avoid exploitation.
