OTPulse
FeedAboutContact

Siemens OZW672 and OZW772 Web Server

Monitor6.8ICS-CERT ICSA-24-319-03Nov 12, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

OZW672 and OZW772 Web Server versions before V5.2 contain a stored cross-site scripting (XSS) vulnerability. An authenticated remote attacker can inject arbitrary JavaScript code into the web interface, which is then executed when another authenticated user (potentially with higher privileges) views the affected page. This could allow the attacker to perform unauthorized actions using the victim's session and privileges.

What this means
What could happen
An authenticated attacker could inject malicious JavaScript that executes in the browser of another authorized user, potentially allowing them to steal session tokens, modify automation settings, or trick users into dangerous actions. Since the attacker can target users with higher privileges, they could escalate their access to critical functions.
Who's at risk
Water utilities and electric utilities using Siemens OZW672 or OZW772 Web Server modules in automation systems should care about this issue. These devices are typically used for SCADA monitoring and control. The risk is highest for facilities where operators or engineers access the web interface with administrator credentials, as attackers could leverage their sessions to modify critical setpoints or disable monitoring.
How it could be exploited
An attacker with valid login credentials accesses the OZW672 or OZW772 web interface and injects malicious JavaScript into a field that is stored by the server. When another authenticated user (especially an administrator) views the affected page, the injected script executes in their browser with their privileges, allowing the attacker to perform unauthorized actions on their behalf.
Prerequisites
  • Valid authenticated login credentials to the OZW672 or OZW772 web interface
  • Network access to the web server on the affected device (typically port 80/443)
  • A target user (ideally with higher privileges) who will view the page containing the injected payload
Remotely exploitable over networkRequires authentication but can target higher-privilege usersStored XSS could affect multiple usersAffects control system monitoring/interface
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
OZW672<V5.25.2
OZW772<V5.25.2
Remediation & Mitigation
0/4
Do now
0/1
OZW672
WORKAROUNDRestrict network access to the OZW672/OZW772 web interface to authorized engineering workstations only using firewall rules or network segmentation
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

OZW672
HOTFIXUpdate OZW672 and OZW772 devices to firmware version V5.2 or later
Long-term hardening
0/2
OZW672
HARDENINGImplement network segmentation to isolate OZW672/OZW772 devices from business networks and internet access
All products
HARDENINGUse VPN for any required remote access to the web interface instead of direct internet exposure
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ee8bda2b-65c7-439f-b9be-af4c02f34aab
Siemens OZW672 and OZW772 Web Server | CVSS 6.8 - OTPulse