OTPulse
FeedAboutContact

Siemens Industrial Edge Management

Plan Patch7.4ICS-CERT ICSA-22-286-02Oct 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

Siemens Industrial Edge Management versions prior to 1.5.1 contain an improper certificate validation vulnerability (CWE-295) that allows an attacker to inject malicious maintenance requests or access sensitive data. An attacker could exploit this by sending statistics, activating remote support, exchanging initial keys during onboarding, querying extensions, or accessing sensitive configuration data without valid authentication. The vulnerability requires network access but no user interaction.

What this means
What could happen
An attacker could bypass certificate validation to inject malicious maintenance requests or access sensitive data on the Industrial Edge Management platform, potentially compromising the integrity of edge computing infrastructure and connected industrial devices.
Who's at risk
Manufacturing facilities using Siemens Industrial Edge Management systems for edge computing and device management. This includes any organization managing distributed Siemens devices through the edge platform, whether for process monitoring, predictive maintenance, or data aggregation at the edge of the network.
How it could be exploited
An attacker on the network sends a specially crafted request to the Industrial Edge Management system that exploits improper certificate validation. This allows the attacker to inject malicious maintenance requests, activate remote support without authorization, exchange encryption keys during device onboarding, or query extension data. The attack requires network access but no authentication credentials.
Prerequisites
  • Network access to Industrial Edge Management system on the network
  • System running Industrial Edge Management version prior to 1.5.1
  • HTTPS/TLS connection to the management interface
remotely exploitableno authentication requiredimproper certificate validationaffects industrial edge computing infrastructure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Industrial Edge Management - AllAll versions prior to V1.5.11.5.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Industrial Edge Management to version 1.5.1 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/a9a24bd5-e4ab-4c7e-ac00-40bd5a572cb3