Siemens SiPass integrated AC5102 / ACC-G2 and ACC-AP
Plan Patch7.8ICS-CERT ICSA-23-047-05Feb 14, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
SiPass integrated ACC (Advanced Central Controller) devices fail to properly sanitize user input on the telnet command line interface. An authenticated user with local telnet access can inject arbitrary commands that execute with root privileges. Affected products are SiPass integrated ACC-AP (versions before 2.85.43) and SiPass integrated AC5102 (ACC-G2) (versions before 2.85.44). No fix is planned for legacy models including AC5100 (ACC), AC5200 series (ACC-Lite, ACC-4, ACC-8, ACC-16, ACC-32), or Granta-MK3 (ACC-GRANTA).
What this means
What could happen
An authenticated user with local access to the telnet interface can inject commands to execute arbitrary code with root privileges, potentially allowing them to alter access control logic, disable authentication, or disrupt physical security operations managed by the SiPass system.
Who's at risk
Physical security managers and IT staff responsible for SiPass integrated access control systems, particularly those running AC5102 (ACC-G2) or ACC-AP controllers in facilities with badge readers, door locks, and attendance tracking. Organizations with legacy ACC models (AC5100, AC5200 series) have no patch path and must rely on workarounds. This affects any facility using Siemens SiPass for building or campus access control.
How it could be exploited
An attacker must gain local telnet access to the ACC device (requires network access to the device and valid credentials). The attacker then injects specially crafted input into the telnet CLI to bypass command sanitization and execute commands as root, potentially compromising the entire access control system.
Prerequisites
- Local network access to telnet port on the ACC device
- Valid credentials for one of the main ACC user accounts (SIEMENS, OPERATOR, or other configured accounts)
- Physical proximity or network access within the secured facility network
Authenticated access requiredLocal access only (not remotely exploitable)Root privilege escalationNo fix planned for legacy models (ACC, ACC-Lite, ACC-4, ACC-8, ACC-16, ACC-32, Granta-MK3)Default credentials commonly deployedAffects critical facility security operations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
SiPass integrated AC5102 (ACC-G2)<V2.85.442.85.44
SiPass integrated ACC-AP<V2.85.432.85.43
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDDisable telnet access on all ACC devices if not required for operations
HARDENINGChange default passwords for SIEMENS and OPERATOR accounts to unique, complex passwords
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SiPass integrated ACC-AP
HOTFIXUpdate SiPass integrated ACC-AP to version 2.85.43 or later
SiPass integrated AC5102 (ACC-G2)
HOTFIXUpdate SiPass integrated AC5102 (ACC-G2) to version 2.85.44 or later
Long-term hardening
0/2HARDENINGRestrict network access to ACC devices using firewall rules to allow connections only from authorized engineering workstations
HARDENINGIsolate ACC devices and SiPass integrated access control systems from the business network using network segmentation
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a66968f0-5f70-4f49-bc52-201c36616499