#VU97143 Authorization bypass through user-controlled key in Industrial Edge Management Pro and Industrial Edge Management Virtual - CVE-2024-45032

Cybersecurity Help s.r.o.

Published: 2024-09-11

Vulnerability identifier: #VU97143

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-45032

CWE-ID: CWE-639

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Industrial Edge Management Pro
Other software / Other software solutions
Industrial Edge Management Virtual
Other software / Other software solutions

Vendor: Siemens

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected components do not properly validate the device tokens. A remote attacker can impersonate other devices onboarded to the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Industrial Edge Management Pro: before 1.9.5

Industrial Edge Management Virtual: before 2.3.1-1

External links
https://cert-portal.siemens.com/productcert/html/ssa-359713.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Authorization bypass through user-controlled key in Siemens Industrial Edge Management