CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). Affected devices do not perform authentication for several web API endpoints. This could allow an unauthenticated remote attacker to read and download data from the device.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
siemensCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
VendorProductVersion
siemenssimatic_mv540_h_firmware
𝑥
< 3.3
siemenssimatic_mv540_s_firmware
𝑥
< 3.3
siemenssimatic_mv550_h_firmware
𝑥
< 3.3
siemenssimatic_mv550_s_firmware
𝑥
< 3.3
siemenssimatic_mv560_u_firmware
𝑥
< 3.3
siemenssimatic_mv560_x_firmware
𝑥
< 3.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf