CVE-2023-28829

low-risk
Published 2023-06-13

A vulnerability has been identified in SIMATIC NET PC Software V14 (All versions), SIMATIC NET PC Software V15 (All versions), SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC (All versions < V8.0), SINAUT Software ST7sc (All versions). Before SIMATIC WinCC V8, legacy OPC services (OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms & Events)) were used per default. These services were designed on top of the Windows ActiveX and DCOM mechanisms and do not implement state-of-the-art security mechanisms for authentication and encryption of contents.

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.9/10 Low
ADJACENT_NETWORK / HIGH complexity

Affected Products (7)

Simatic Net Pc Software
Simatic Net Pc Software
Sinaut St7Sc

Affected Vendors

Siemens

References (2)

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-508677.pdf
Patch https://cert-portal.siemens.com/productcert/pdf/ssa-508677.pdf
24
/ 100
low-risk
Severity 10/34 · Low
Exploitability 0/34 · Minimal
Exposure 14/34 · Moderate