CVE-2024-35783 — Vulnetix

CVE-2024-35783 PUBLISHED CVSS 9.100000381469727 CRITICAL

A vulnerability has been identified in SIMATIC BATCH V9.1 (All versions), SIMATIC Information Server 2020 (All versions), SIMATIC Information Server 2022 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC Process Historian 2020 (All versions), SIMATIC Process Historian 2022 (All versions), SIMATIC WinCC Runtime Professional V18 (All versions), SIMATIC WinCC Runtime Professional V19 (All versions), SIMATIC WinCC V7.4 (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 18), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products run their DB server with elevated privileges which could allow an authenticated attacker to execute arbitrary OS commands with administrative privileges.

EPSS 0.18% · 38.9th percentile

Risk Scores

CVSS v3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

EPSS Score

0.18%

38.9th percentile

Affected Products

Vendor	Product	Versions
Siemens	SIMATIC BATCH V9.1	0
siemens	simatic_wincc	7.4, 8.0
Siemens	SIMATIC Information Server 2022	0
Siemens	SIMATIC Information Server 2020	0
Siemens	SIMATIC Process Historian 2022	0
Siemens	SIMATIC WinCC V7.5	0
Siemens	SIMATIC WinCC Runtime Professional V19	0
Siemens	SIMATIC WinCC V8.0	0
Siemens	SIMATIC WinCC Runtime Professional V18	0
Siemens	SIMATIC Process Historian 2020	0
Siemens	SIMATIC WinCC V7.4	0
Siemens	SIMATIC PCS 7 V9.1	0
siemens	simatic_batch	0

Timeline

Sep 10, 2024 CVE Published
Sep 10, 2024 PoC Published
Sep 11, 2024 EPSS Score
Sep 14, 2024 PoC Published
Sep 15, 2024 PoC Published
Oct 1, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Oct 15, 2024 Coalition ESS Score
Oct 21, 2024 EPSS Score
Nov 9, 2024 EPSS Score
Nov 12, 2024 Coalition ESS Score
Nov 29, 2024 EPSS Score

References

Open in Interactive Console →