CVE-2022-33139 vulnerability in Siemens Products
Published on June 21, 2022
A vulnerability has been identified in Cerberus DMS (All versions), Desigo CC (All versions), Desigo CC Compact (All versions), SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration). Affected applications use client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated.
Weakness Type
Use of Client-Side Authentication
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
Products Associated with CVE-2022-33139
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-33139 are published in these products:
Affected Versions
Siemens Cerberus DMS:- Version All versions is affected.
- Version All versions is affected.
- Version All versions is affected.
- Version All versions in default configuration is affected.
- Version All versions in non-default configuration is affected.
- Version All versions in non-default configuration is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.