#VU95993 Inadequate Encryption Strength in Location Intelligence family - CVE-2024-41681

Cybersecurity Help s.r.o.

Published: 2024-08-14

Vulnerability identifier: #VU95993

Vulnerability risk: Medium

CVSSv4.0: 2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-41681

CWE-ID: CWE-326

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Location Intelligence family
Hardware solutions / Firmware

Vendor: Siemens

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the web server is configured to support weak ciphers by default. A remote attacker on the local network can read and modify any data passed over the connection between legitimate clients and the affected device.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Location Intelligence family: before 4.4

External links
https://cert-portal.siemens.com/productcert/html/ssa-720392.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens Location Intelligence