SSA-773256 — Vulnetix

SSA-773256 PUBLISHED CVSS 7.300000190734863 HIGH

A Socket.IO vulnerability affects multiple Siemens industrial products. This vulnerability consists of a specially crafted Socket.IO packet that triggers an uncaught exception on the Socket.IO server killing the Node.js process allowing a remote attacker to cause Denial-of-Service condition in the affected products. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

Risk Scores

CVSS 3.1

7.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products

Vendor	Product	Versions
	SIMATIC PCS neo V4.1
	SIMATIC WinCC Runtime Professional V19
	SIMATIC WinCC V8.0
	SIMATIC PCS neo V5.0
	SIMATIC WinCC Runtime Professional V17
	Data Flow Monitoring Industrial Edge Device User Interface (DFM IED UI)
	LiveTwin Industrial Edge app (6AV2170-0BL00-0AA0)
	SIMATIC WinCC V7.5
	SIMATIC WinCC Runtime Professional V18
	SIMATIC WinCC V7.4
	TIA Administrator
	AI Model Deployer

Exploit Intelligence

Proof of concept of CVE-2024-47554 (github-poc-repo)
Proof of concept of CVE-2024-47554 (github-poc-repo)
Proof of concept of CVE-2024-47554 (github-poc)
Proof of concept of CVE-2024-47554 (github-poc)
https://cert-portal.siemens.com/productcert/html/ssa-773256.html (circl)
https://cert-portal.siemens.com/productcert/csaf/ssa-773256.json (circl)
https://iehub.eu1.edge.siemens.cloud/ (circl)
https://support.industry.siemens.com/cs/ww/en/view/109977244/ (circl)
https://support.industry.siemens.com/cs/ww/en/view/109793460/ (circl)
summary.html (github-poc)

…and 1 more exploits

Timeline

Sep 10, 2024 CVE Published
Jan 14, 2025 CVE Updated

References

Open in Interactive Console →