Home

Description

A vulnerability has been identified in SIMATIC BATCH V9.1 (All versions), SIMATIC Information Server 2020 (All versions < V2020 SP2 Update 5), SIMATIC Information Server 2022 (All versions < V2022 SP1 Update 2), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP2 UC06), SIMATIC Process Historian 2020 (All versions < V2020 SP2 Update 5), SIMATIC Process Historian 2022 (All versions < V2022 SP1 Update 2), SIMATIC WinCC Runtime Professional V18 (All versions < V18 Update 5), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 3), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 18), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products run their DB server with elevated privileges which could allow an authenticated attacker to execute arbitrary OS commands with administrative privileges.

PUBLISHED Reserved 2024-05-17 | Published 2024-09-10 | Updated 2025-01-14 | Assigner siemens




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-250: Execution with Unnecessary Privileges

Product status

Default status
unknown

Any version before *
affected

Default status
unknown

Any version before V2020 SP2 Update 5
affected

Default status
unknown

Any version before V2022 SP1 Update 2
affected

Default status
unknown

Any version before V9.1 SP2 UC06
affected

Default status
unknown

Any version before V2020 SP2 Update 5
affected

Default status
unknown

Any version before V2022 SP1 Update 2
affected

Default status
unknown

Any version before V18 Update 5
affected

Default status
unknown

Any version before V19 Update 3
affected

Default status
unknown

Any version before *
affected

Default status
unknown

Any version before V7.5 SP2 Update 18
affected

Default status
unknown

Any version before V8.0 Update 5
affected

References

cert-portal.siemens.com/productcert/html/ssa-629254.html

cve.org (CVE-2024-35783)

nvd.nist.gov (CVE-2024-35783)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.