Description
A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected system allows to upload JSON objects that are deserialized to Java objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a maliciously crafted serialized Java object. This could allow the attacker to execute arbitrary code on the device with root privileges.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
E
Physical
RL
T
RC
Changed
Affected products
- Siemens / SINEC NMSAll versions >= V1.0.3 < V2.0 – All versions >= V1.0.3 < V2.0
- Siemens / SINEC NMSAll versions < V1.0.3 – All versions < V1.0.3
- Siemens / SINEMA Server V14All versions – All versions