Cyber Resilience

CVE-2022-23450

CriticalRCE

Published: 12 April 2022

Published
12 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3334 97.0th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23450 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Siemens Simatic Energy Manager Basic. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability has been identified in SIMATIC Energy Manager Basic and SIMATIC Energy Manager PRO, affecting all versions prior to V7.3 Update 1. The issue stems from insecure deserialization of user-supplied content, tracked as CWE-502, which permits remote attackers to submit maliciously crafted serialized objects over the network.

An unauthenticated attacker can exploit the flaw by sending a specially crafted object, resulting in arbitrary code execution on the target device with SYSTEM-level privileges. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required authentication or user interaction.

Siemens has published advisory SSA-655554, which details the affected products and directs users to apply the V7.3 Update 1 release that resolves the deserialization weakness. The current and peak EPSS scores both stand at 0.3334 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users to send maliciously crafted objects. Due to insecure…

more

deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siemens
simatic energy manager basic
7.3 · ≤ 7.3
siemens
simatic energy manager pro
7.3 · ≤ 7.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References