Siemens SENTRON 7KT PAC1260 Data Manager

Plan PatchCVSS 10ICS-CERT ICSA-25-100-06Apr 8, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SENTRON 7KT PAC1260 Data Manager is affected by multiple critical vulnerabilities including OS command injection (CWE-78), missing authentication (CWE-306), path traversal (CWE-22), hardcoded credentials (CWE-798), and cross-site request forgery (CWE-352). These vulnerabilities can be exploited by unauthenticated attackers over the network to gain full command execution on the device. Siemens has declared the product end-of-life and will not release patches. The vendor recommends replacing the device with SENTRON 7KT PAC1261 and updating to the latest firmware version.

What this means

What could happen

An unauthenticated attacker on the network can execute arbitrary commands on the SENTRON 7KT PAC1260 Data Manager, potentially gaining full control of the device and allowing manipulation of power management and monitoring data across connected electrical systems.

Who's at risk

This affects power distribution and energy management in mid-size utilities, manufacturing facilities, and municipal electric systems that use the SENTRON 7KT PAC1260 for electrical monitoring and data management. Any site running this device can be compromised to disrupt power analytics, trigger false alarms, or manipulate electrical measurements across their facility.

How it could be exploited

An attacker sends a network request to the SENTRON 7KT PAC1260 over port 80/443 without credentials. The device processes the request and executes arbitrary commands due to missing input validation and authentication checks, granting the attacker command execution on the device.

Prerequisites

Network reachability to the SENTRON 7KT PAC1260 on TCP ports 80 and/or 443
No authentication required - vulnerabilities are pre-authentication

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (end-of-life product)High CVSS score (10.0)Affects critical infrastructure monitoring

Exploitability

Some exploitation risk — EPSS score 1.0%

Affected products (1)

ProductAffected VersionsFix Status

SENTRON 7KT PAC1260 Data ManagerAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to SENTRON 7KT PAC1260 management interfaces using firewall rules - only allow connections from authorized engineering workstations and monitoring systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXReplace SENTRON 7KT PAC1260 with SENTRON 7KT PAC1261 Data Manager and update to latest available firmware

Mitigations - no patch available

0/1

SENTRON 7KT PAC1260 Data Manager has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the PAC1260 on a dedicated VLAN with controlled ingress/egress rules

CVEs (9)

CVE-2024-41788 CVE-2024-41789 CVE-2024-41790 CVE-2024-41791 CVE-2024-41792 CVE-2024-41793 CVE-2024-41794 CVE-2024-41795 CVE-2024-41796

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/38a4eab5-7f3f-4932-9796-a4ca97203e17

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.