#VU68260 Input validation error in Siemens products - CVE-2022-40181
Vulnerability identifier: #VU68260
Vulnerability risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Desigo PXM30-1
Hardware solutions /
Firmware
Desigo PXM30.E
Hardware solutions /
Firmware
Desigo PXM40-1
Hardware solutions /
Firmware
Desigo PXM40.E
Hardware solutions /
Firmware
Desigo PXM50-1
Hardware solutions /
Firmware
Desigo PXM50.E
Hardware solutions /
Firmware
PXG3.W100-1
Hardware solutions /
Firmware
PXG3.W100-2
Hardware solutions /
Firmware
PXG3.W200-1
Hardware solutions /
Firmware
PXG3.W200-2
Hardware solutions /
Firmware
Vendor: Siemens
Description
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to the device embedded browser does not prevent interaction with alternative URI schemes when redirected to corresponding resources by web application code. A remote user can execute arbitrary code on the target system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Desigo PXM30-1: before 02.20.126.11-41
Desigo PXM30.E: before 02.20.126.11-41
Desigo PXM40-1: before 02.20.126.11-41
Desigo PXM40.E: before 02.20.126.11-41
Desigo PXM50-1: before 02.20.126.11-41
Desigo PXM50.E: before 02.20.126.11-41
PXG3.W100-1: before 02.20.126.11-37
PXG3.W100-2: before 02.20.126.11-41
PXG3.W200-1: before 02.20.126.11-37
PXG3.W200-2: before 02.20.126.11-41
External links
https://cert-portal.siemens.com/productcert/pdf/ssa-360783.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
