Cyber Resilience

CVE-2022-45092

Critical

Published: 10 January 2023

Published
10 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0381 88.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-45092 is a critical-severity Path Traversal (CWE-22) vulnerability in Siemens Sinec Ins. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A path traversal vulnerability tracked as CVE-2022-45092 affects Siemens SINEC INS in all versions prior to V1.0 SP2 Update 1. The flaw resides in the Web Based Management interface listening on TCP port 443 and is classified under CWE-22. An authenticated remote attacker can supply crafted requests that read or write arbitrary files on the underlying file system, which may be leveraged to achieve remote code execution.

Because the attack requires valid credentials and network access to the management interface, an adversary who has already obtained low-privileged web credentials can fully compromise the confidentiality, integrity, and availability of the affected appliance. The CVSS 3.1 score of 9.9 reflects the combination of network attack vector, low complexity, and the change in scope that allows the attacker to impact resources beyond the vulnerable component itself.

Siemens advisory SSA-332410 states that the issue is resolved in SINEC INS V1.0 SP2 Update 1 and later; administrators should apply the update and restrict web-management access to trusted networks. The EPSS score rose from a low baseline to a peak of 0.3535 on 2025-12-11 before receding to the current value of 0.0381, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 1). An authenticated remote attacker with access to the Web Based Management (443/tcp) of the affected product, could potentially read and write arbitrary files from and…

more

to the device's file system. An attacker might leverage this to trigger remote code execution on the affected component.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siemens
sinec ins
1.0 · ≤ 1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References