Description
A vulnerability has been identified in SIMATIC BATCH V9.1 (All versions), SIMATIC Information Server 2020 (All versions < V2020 SP2 Update 5), SIMATIC Information Server 2022 (All versions < V2022 SP1 Update 2), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP2 UC06), SIMATIC Process Historian 2020 (All versions < V2020 SP2 Update 5), SIMATIC Process Historian 2022 (All versions < V2022 SP1 Update 2), SIMATIC WinCC Runtime Professional V18 (All versions < V18 Update 5), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 3), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 18), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products run their DB server with elevated privileges which could allow an authenticated attacker to execute arbitrary OS commands with administrative privileges.
CVSS breakdown
Affected products
- Siemens / SIMATIC BATCH V9.10 – *
- Siemens / SIMATIC Information Server 20200 – V2020 SP2 Update 5
- Siemens / SIMATIC Information Server 20220 – V2022 SP1 Update 2
- Siemens / SIMATIC PCS 7 V9.10 – V9.1 SP2 UC06
- Siemens / SIMATIC Process Historian 20200 – V2020 SP2 Update 5
- Siemens / SIMATIC Process Historian 20220 – V2022 SP1 Update 2
- Siemens / SIMATIC WinCC Runtime Professional V180 – V18 Update 5
- Siemens / SIMATIC WinCC Runtime Professional V190 – V19 Update 3
- Siemens / SIMATIC WinCC V7.40 – *
- Siemens / SIMATIC WinCC V7.50 – V7.5 SP2 Update 18
- Siemens / SIMATIC WinCC V8.00 – V8.0 Update 5