#VU101656 Insufficiently protected credentials in CPCI85 Central Processing/Communication - CVE-2024-53832

Cybersecurity Help s.r.o.

Published: 2024-12-11

Vulnerability identifier: #VU101656

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53832

CWE-ID: CWE-522

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
CPCI85 Central Processing/Communication
Hardware solutions / Firmware

Vendor: Siemens

Description

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to the affected devices contain a secure element which is connected via an unencrypted SPI bus. An attacker with physical access can decrypt all encrypted update files.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CPCI85 Central Processing/Communication: before 05.30

External links
https://cert-portal.siemens.com/productcert/html/ssa-128393.html

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Insufficiently protected credentials in Siemens CPCI85 Central Processing/Communication