CVE-2020-10055

A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
siemensCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
siemensdesigo_consumption_control
3.0
siemensdesigo_consumption_control
4.0
siemensdesigo_consumption_control_compact
3.0
siemensdesigo_consumption_control_compact
4.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
siemensdesigo_cc
4.0 ≤
𝑥
< 5.0
CNA
siemensdesigo_cc
3.0 ≤
𝑥
< 4.0
CNA
Common Weakness Enumeration
References
https://cert-portal.siemens.com/productcert/pdf/ssa-786743.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-20-224-06
https://cert-portal.siemens.com/productcert/pdf/ssa-786743.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-20-224-06