#VU98285 Improper Neutralization of Argument Delimiters in a Command in Siemens SINEC Security Monitor - CVE-2024-47553

Cybersecurity Help s.r.o.

Published: 2024-10-09

Vulnerability identifier: #VU98285

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-47553

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Siemens SINEC Security Monitor
Hardware solutions / Firmware

Vendor: Siemens

Description

The vulnerability allows a remote attacker to execute arbitrary argument.

The vulnerability exists due to the affected application does not properly validate user input to the ssmctl-client command. A remote user can execute arbitrary code with root privileges on the underlying OS.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Siemens SINEC Security Monitor: before 4.9.0

External links
https://cert-portal.siemens.com/productcert/html/ssa-430425.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens SINEC Security Monitor