Siemens Opcenter Execution Core (Update B)

Plan PatchCVSS 8.5ICS-CERT ICSA-20-196-07Jul 14, 2020

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens Opcenter Execution Core and Camstar Enterprise Platform contain multiple input validation vulnerabilities (XSS injection, SQL injection) and authentication/authorization flaws (CWE-284, CWE-522) that allow authenticated users to execute arbitrary code or bypass access controls within the application. All versions of Camstar Enterprise Platform are affected. Opcenter Execution Core versions below 8.4 are vulnerable. The vulnerabilities permit authenticated attackers to inject malicious scripts and SQL commands to compromise data confidentiality and integrity.

What this means

What could happen

An authenticated attacker or compromised user account could inject malicious code into the Opcenter interface to view sensitive manufacturing data, modify production orders, or tamper with system configurations that control plant operations. An attacker could also bypass authorization controls to access restricted functionality.

Who's at risk

Manufacturing operations managers and plant engineers using Siemens Opcenter Execution Core or Camstar Enterprise Platform for production planning, batch tracking, and order management. This affects facilities across discrete manufacturing, food & beverage, pharmaceutical, and chemical industries that rely on these MES (Manufacturing Execution Systems) platforms for shop floor control.

How it could be exploited

An attacker with valid credentials to the Opcenter or Camstar web interface could inject XSS payload or SQL commands through input fields. The application fails to sanitize these inputs, allowing the attacker to execute arbitrary JavaScript in other users' browsers or query/modify the backend database. This requires network access to the application web server and valid user authentication.

Prerequisites

Network access to Opcenter/Camstar web server (typically port 80/443)
Valid user credentials (engineering or operator account)
User interaction not required once authenticated (stored XSS or direct SQL injection possible)

Remotely exploitable over networkRequires valid credentials but low authentication bar (operator-level access)Low complexity exploitation (standard XSS/SQLi techniques)No patch available for Camstar or Opcenter versions <8.4Affects data integrity and confidentiality of manufacturing operations

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

Opcenter Execution Core: All<V8.28.4+

Camstar Enterprise Platform: All versionsAll versionsNo fix (EOL)

Opcenter Execution Core: V8.2V8.28.4+

Opcenter Execution Core: V8.3V8.38.4+

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDFor Camstar Enterprise Platform (no fix available): Configure a Web Application Firewall (WAF) to detect and block XSS and SQL injection payloads in HTTP traffic to the application

WORKAROUNDRestrict network access to the Opcenter/Camstar web server to trusted engineering and operator workstations only using firewall rules or VPN access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Opcenter Execution Core to version 8.4 or later

Mitigations - no patch available

0/3

Camstar Enterprise Platform: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the MES platform from general corporate IT and the internet

HARDENINGEnforce strong password policies and multi-factor authentication for all accounts accessing Opcenter/Camstar to limit impact of credential compromise

HARDENINGMonitor access logs and web server activity for signs of XSS/SQL injection attempts

CVEs (4)

CVE-2020-7576 CVE-2020-7577 CVE-2020-7578 CVE-2020-28390

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/acc14277-5e9b-4b76-8a03-b85af4e23cbe

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.