CVE-2022-25311

moderate-risk
Published 2022-03-08

A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation.

Do I need to act?

-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.3/10 High
LOCAL / LOW complexity

Affected Products (2)

Sinec Network Management System

Affected Vendors

Siemens

References (2)

Mitigation https://cert-portal.siemens.com/productcert/pdf/ssa-250085.pdf
Mitigation https://cert-portal.siemens.com/productcert/pdf/ssa-250085.pdf
31
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 1/34 · Minimal
Exposure 7/34 · Low