CVE-2022-33139
moderate-risk
Published 2022-06-21
A vulnerability has been identified in Cerberus DMS (All versions), Desigo CC (All versions), Desigo CC Compact (All versions), SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration). Affected applications use client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated.
Do I need to act?
-
0.41% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (6)
Cerberus Dms
Desigo Cc
Desigo Cc Compact
Affected Vendors
References (4)
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-111512.pdf
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-836027.pdf
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-111512.pdf
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-836027.pdf
47
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
13/34 · Low