Siemens SiPass integrated AC5102 / ACC-G2 and ACC-AP

Plan PatchCVSS 7.8ICS-CERT ICSA-23-047-05Feb 14, 2023

Siemens

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SiPass integrated ACC (Advanced Central Controller) devices fail to properly sanitize user input on the telnet command line interface. An authenticated user with local telnet access can inject arbitrary commands that execute with root privileges. Affected products are SiPass integrated ACC-AP (versions before 2.85.43) and SiPass integrated AC5102 (ACC-G2) (versions before 2.85.44). No fix is planned for legacy models including AC5100 (ACC), AC5200 series (ACC-Lite, ACC-4, ACC-8, ACC-16, ACC-32), or Granta-MK3 (ACC-GRANTA).

What this means

What could happen

An authenticated user with local access to the telnet interface can inject commands to execute arbitrary code with root privileges, potentially allowing them to alter access control logic, disable authentication, or disrupt physical security operations managed by the SiPass system.

Who's at risk

Physical security managers and IT staff responsible for SiPass integrated access control systems, particularly those running AC5102 (ACC-G2) or ACC-AP controllers in facilities with badge readers, door locks, and attendance tracking. Organizations with legacy ACC models (AC5100, AC5200 series) have no patch path and must rely on workarounds. This affects any facility using Siemens SiPass for building or campus access control.

How it could be exploited

An attacker must gain local telnet access to the ACC device (requires network access to the device and valid credentials). The attacker then injects specially crafted input into the telnet CLI to bypass command sanitization and execute commands as root, potentially compromising the entire access control system.

Prerequisites

Local network access to telnet port on the ACC device
Valid credentials for one of the main ACC user accounts (SIEMENS, OPERATOR, or other configured accounts)
Physical proximity or network access within the secured facility network

Authenticated access requiredLocal access only (not remotely exploitable)Root privilege escalationNo fix planned for legacy models (ACC, ACC-Lite, ACC-4, ACC-8, ACC-16, ACC-32, Granta-MK3)Default credentials commonly deployedAffects critical facility security operations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SiPass integrated AC5102 (ACC-G2)<V2.85.442.85.44

SiPass integrated ACC-AP<V2.85.432.85.43

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable telnet access on all ACC devices if not required for operations

HARDENINGChange default passwords for SIEMENS and OPERATOR accounts to unique, complex passwords

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SiPass integrated ACC-AP

HOTFIXUpdate SiPass integrated ACC-AP to version 2.85.43 or later

SiPass integrated AC5102 (ACC-G2)

HOTFIXUpdate SiPass integrated AC5102 (ACC-G2) to version 2.85.44 or later

Long-term hardening

0/2

HARDENINGRestrict network access to ACC devices using firewall rules to allow connections only from authorized engineering workstations

HARDENINGIsolate ACC devices and SiPass integrated access control systems from the business network using network segmentation

CVEs (1)

CVE-2022-31808

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a66968f0-5f70-4f49-bc52-201c36616499

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.