As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v3 8.2
- ATTENTION: Low attack complexity
- Vendor: Siemens
- Equipment: Desigo CC Product Family and SENTRON Powermanager
- Vulnerability: Least Privilege Violation
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow privilege escalation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
- Desigo CC family V5.0: All versions
- Desigo CC family V5.1: All versions
- Desigo CC family V6: All versions
- Desigo CC family V7: All versions
- Desigo CC family V8: All versions
- SENTRON Powermanager V5: All versions
- SENTRON Powermanager V6: All versions
- SENTRON Powermanager V7: All versions
- SENTRON Powermanager V8: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 LEAST PRIVILEGE VIOLATION CWE-272
Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot). For exploitation, there must have been an unprivileged installation with UAC, and the CodeMeter Control Center component must be installed, and the CodeMeter Control Center component must not have been restarted. In this scenario, the local user can navigate from Import License to a privileged instance of Windows Explorer.
CVE-2025-47809 has been assigned to this vulnerability. A
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: