Inadequate Encryption Strength in Siemens products - CVE-2023-36748
Published: July 17, 2023
Vulnerability identifier: #VU78315
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-36748
CWE-ID: CWE-326
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Siemens
Affected software:
RUGGEDCOM ROX MX5000
RUGGEDCOM ROX MX5000RE
RUGGEDCOM ROX RX1400
RUGGEDCOM ROX RX1500
RUGGEDCOM ROX RX1501
RUGGEDCOM ROX RX1510
RUGGEDCOM ROX RX1511
RUGGEDCOM ROX RX1512
RUGGEDCOM ROX RX1524
RUGGEDCOM ROX RX1536
RUGGEDCOM ROX RX5000
RUGGEDCOM ROX MX5000
RUGGEDCOM ROX MX5000RE
RUGGEDCOM ROX RX1400
RUGGEDCOM ROX RX1500
RUGGEDCOM ROX RX1501
RUGGEDCOM ROX RX1510
RUGGEDCOM ROX RX1511
RUGGEDCOM ROX RX1512
RUGGEDCOM ROX RX1524
RUGGEDCOM ROX RX1536
RUGGEDCOM ROX RX5000
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected devices are configured to offer weak ciphers by default. A remote attacker on the local network can perform a man-in-the-middle attack to read and modify any data passed over to and from the affected device.
How to mitigate CVE-2023-36748
Install updates from vendor's website.