Siemens Industrial Edge Management

Plan PatchCVSS 7.4ICS-CERT ICSA-22-286-02Oct 11, 2022

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Siemens Industrial Edge Management versions prior to 1.5.1 contain an improper certificate validation vulnerability (CWE-295) that allows an attacker to inject malicious maintenance requests or access sensitive data. An attacker could exploit this by sending statistics, activating remote support, exchanging initial keys during onboarding, querying extensions, or accessing sensitive configuration data without valid authentication. The vulnerability requires network access but no user interaction.

What this means

What could happen

An attacker could bypass certificate validation to inject malicious maintenance requests or access sensitive data on the Industrial Edge Management platform, potentially compromising the integrity of edge computing infrastructure and connected industrial devices.

Who's at risk

Manufacturing facilities using Siemens Industrial Edge Management systems for edge computing and device management. This includes any organization managing distributed Siemens devices through the edge platform, whether for process monitoring, predictive maintenance, or data aggregation at the edge of the network.

How it could be exploited

An attacker on the network sends a specially crafted request to the Industrial Edge Management system that exploits improper certificate validation. This allows the attacker to inject malicious maintenance requests, activate remote support without authorization, exchange encryption keys during device onboarding, or query extension data. The attack requires network access but no authentication credentials.

Prerequisites

Network access to Industrial Edge Management system on the network
System running Industrial Edge Management version prior to 1.5.1
HTTPS/TLS connection to the management interface

remotely exploitableno authentication requiredimproper certificate validationaffects industrial edge computing infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Industrial Edge Management< V1.5.11.5.1

Industrial Edge Management - AllAll versions prior to V1.5.11.5.1

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Industrial Edge Management

HOTFIXUpdate Industrial Edge Management to version 1.5.1 or later

CVEs (1)

CVE-2022-40147

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a9a24bd5-e4ab-4c7e-ac00-40bd5a572cb3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.