Cyber Resilience

CVE-2023-33919

HighPublic PoCRCE

Published: 13 June 2023

Published
13 June 2023
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0985 93.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33919 is a high-severity Command Injection (CWE-77) vulnerability in Siemens Cpci85 Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-33919 is a command injection flaw (CWE-77) in the web interface of Siemens CP-8031 MASTER MODULE and CP-8050 MASTER MODULE devices running firmware versions prior to CPCI85 V05. It stems from missing server-side input sanitization and carries a CVSS 3.1 score of 7.2.

An authenticated attacker with privileged remote access can supply crafted input to the web interface and execute arbitrary commands with root privileges on the affected devices.

Siemens has published advisory SSA-731916 detailing the issue, while public disclosures and proof-of-concept material have appeared on Full Disclosure and Packet Storm. The associated EPSS score reached a peak of 0.1174 before receding to its current value of 0.0985.

EU & UK References

Vulnerability details

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation.…

more

This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siemens
cpci85 firmware
≤ v05 · ≤ v05

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References