CVE-2023-33919
Published: 13 June 2023
Summary
CVE-2023-33919 is a high-severity Command Injection (CWE-77) vulnerability in Siemens Cpci85 Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2023-33919 is a command injection flaw (CWE-77) in the web interface of Siemens CP-8031 MASTER MODULE and CP-8050 MASTER MODULE devices running firmware versions prior to CPCI85 V05. It stems from missing server-side input sanitization and carries a CVSS 3.1 score of 7.2.
An authenticated attacker with privileged remote access can supply crafted input to the web interface and execute arbitrary commands with root privileges on the affected devices.
Siemens has published advisory SSA-731916 detailing the issue, while public disclosures and proof-of-concept material have appeared on Full Disclosure and Packet Storm. The associated EPSS score reached a peak of 0.1174 before receding to its current value of 0.0985.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38069
Vulnerability details
A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation.…
more
This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.