CVE-2023-49251 is a vulnerability in Siemens Simatic Cn 4100
Published on January 9, 2024
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.7). The "intermediate installation" system state of the affected application allows an attacker to add their own login credentials to the device. This allows an attacker to remotely login as root and take control of the device even after the affected device is fully set up.
Vulnerability Analysis
CVE-2023-49251 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2023-49251 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2023-49251
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-49251 are published in these products:
What versions of Simatic Cn 4100 are vulnerable to CVE-2023-49251?
-
Siemens Simatic Cn 4100
Fixed in Version 2.7