CVE-2022-45092
Published: 10 January 2023
Summary
CVE-2022-45092 is a critical-severity Path Traversal (CWE-22) vulnerability in Siemens Sinec Ins. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A path traversal vulnerability tracked as CVE-2022-45092 affects Siemens SINEC INS in all versions prior to V1.0 SP2 Update 1. The flaw resides in the Web Based Management interface listening on TCP port 443 and is classified under CWE-22. An authenticated remote attacker can supply crafted requests that read or write arbitrary files on the underlying file system, which may be leveraged to achieve remote code execution.
Because the attack requires valid credentials and network access to the management interface, an adversary who has already obtained low-privileged web credentials can fully compromise the confidentiality, integrity, and availability of the affected appliance. The CVSS 3.1 score of 9.9 reflects the combination of network attack vector, low complexity, and the change in scope that allows the attacker to impact resources beyond the vulnerable component itself.
Siemens advisory SSA-332410 states that the issue is resolved in SINEC INS V1.0 SP2 Update 1 and later; administrators should apply the update and restrict web-management access to trusted networks. The EPSS score rose from a low baseline to a peak of 0.3535 on 2025-12-11 before receding to the current value of 0.0381, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-48013
Vulnerability details
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 1). An authenticated remote attacker with access to the Web Based Management (443/tcp) of the affected product, could potentially read and write arbitrary files from and…
more
to the device's file system. An attacker might leverage this to trigger remote code execution on the affected component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.