Siemens OZW672 and OZW772 Web Server
MonitorCVSS 6.8ICS-CERT ICSA-24-319-03Nov 12, 2024
Siemens
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
OZW672 and OZW772 Web Server versions before V5.2 contain a stored cross-site scripting (XSS) vulnerability. An authenticated remote attacker can inject arbitrary JavaScript code that is later executed in the browser of another authenticated user with potentially higher privileges. The attacker could then perform actions on behalf of the privileged user within the scope of that user's permissions. Siemens has released updated versions (V5.2 or later) to address this vulnerability.
What this means
What could happen
An authenticated attacker could inject malicious JavaScript into the web interface that executes when a higher-privileged user accesses the device, potentially allowing the attacker to impersonate that user and modify device settings or process configurations.
Who's at risk
Water and electric utilities managing HVAC and outdoor temperature control systems that rely on Siemens OZW672 or OZW772 controllers. Any facility with these controllers exposed to untrusted internal networks faces risk if users with different privilege levels share access to the web interface.
How it could be exploited
The attacker must have valid credentials to authenticate to the OZW672 or OZW772 web server. Once authenticated, they inject JavaScript code into a stored field (such as a configuration parameter or label). When a higher-privileged user (such as an engineer or administrator) later views that stored data in the web interface, the injected script executes in their browser session, giving the attacker access to the victim's permissions.
Prerequisites
- Valid authentication credentials for the OZW672 or OZW772 web server
- Network access to the web server (typically port 80 or 443)
- A higher-privileged user must view the page containing the injected payload
Requires valid authenticationRequires user interaction (victim must view the page)Affects multi-user systems with privilege differences
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
OZW672<V5.25.2
OZW772<V5.25.2
Remediation & Mitigation
0/4
Do now
0/1OZW672
WORKAROUNDRestrict network access to the OZW672 and OZW772 web servers to authorized personnel only using firewall rules
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
OZW672
HOTFIXUpdate OZW672 to firmware version 5.2 or later
OZW772
HOTFIXUpdate OZW772 to firmware version 5.2 or later
Long-term hardening
0/1OZW672
HARDENINGEnsure OZW672 and OZW772 devices are located behind firewalls and isolated from business networks and the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ee8bda2b-65c7-439f-b9be-af4c02f34aabGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.