OTPulse
FeedAboutContact

Siemens APOGEE Insight Incorrect File Permissions Vulnerability (Update A)

Low Risk3.4ICS-CERT ICSA-16-082-01ADec 24, 2016
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

APOGEE Insight versions below 3.15 contain incorrect file permissions that allow users with high-level privileges to read or modify files they should not have access to. The vulnerability is classified as a weak access control issue (CWE-276) and affects building automation configuration and data.

What this means
What could happen
A user with high-level system access could read or modify sensitive files on the APOGEE Insight server, potentially including system configuration, user credentials, or building automation logic that controls HVAC and other building systems.
Who's at risk
Organizations using Siemens APOGEE Insight for building automation and energy management, particularly facility managers and building operations staff who rely on this system to control HVAC, lighting, and other building systems.
How it could be exploited
An attacker with administrative or high-privilege access to the APOGEE Insight system could exploit overly permissive file permissions to read or modify files they should not have access to, potentially altering building control logic or extracting sensitive configuration data.
Prerequisites
  • High-privilege account access (administrator or equivalent) on the APOGEE Insight server
  • Local access or authenticated remote access to the affected system
no patch availablerequires high-privilege accesslow CVSS score (3.4)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
APOGEE Insight: <3.15<3.15No fix (EOL)
Remediation & Mitigation
0/3
Mitigations - no patch available
0/3
APOGEE Insight: <3.15 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGApply principle of least privilege: audit and restrict file permissions on APOGEE Insight servers to ensure users and service accounts have only the minimum necessary access to files and directories
HARDENINGImplement access controls and role-based permissions within APOGEE Insight to limit administrative capabilities to only necessary users
HARDENINGMonitor and audit file access and modifications on APOGEE Insight servers for unauthorized changes
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/1aad94f5-72b6-4e3d-90ed-0acfa7ed05e7
Siemens APOGEE Insight Incorrect File Permissions Vulnerability (Update A) | CVSS 3.4 - OTPulse