Multiple Vulnerabilities in QMS Automotive before V12.39

Plan Patch8.8SSA-147266Sep 12, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

QMS Automotive before V12.39 contains multiple vulnerabilities including malicious code injection, information disclosure, and denial of service conditions. An attacker with valid credentials and network access could exploit these flaws to compromise quality management operations. Siemens has released version 12.39 as a fix, available upon request from customer support.

What this means

What could happen

An attacker with valid engineering credentials could inject malicious code into QMS Automotive, potentially altering quality management configurations, disclosing sensitive manufacturing data, or disrupting quality operations.

Who's at risk

Automotive manufacturing plants and quality departments that use Siemens QMS Automotive for quality management and process oversight should update immediately. This affects engineering workstations and quality control systems that rely on QMS Automotive for managing manufacturing quality checks and documentation.

How it could be exploited

An attacker with network access and valid login credentials could exploit these vulnerabilities to inject code into QMS Automotive, potentially gaining control over quality management functions, exfiltrating manufacturing or quality records, or causing the system to stop processing quality checks.

Prerequisites

Network access to QMS Automotive application
Valid user credentials (engineering account or higher privilege)
QMS Automotive version before V12.39

Requires valid user credentialsRemotely exploitableMultiple vulnerability types (code injection, information disclosure, denial of service)Affects quality management operations

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

QMS Automotive< V12.3912.39

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate QMS Automotive to version 12.39 or later

CVEs (10)

CVE-2022-43958 CVE-2023-40724 CVE-2023-40725 CVE-2023-40726 CVE-2023-40727 CVE-2023-40728 CVE-2023-40729 CVE-2023-40730 CVE-2023-40731 CVE-2023-40732

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/44d4c31d-89b8-4e67-932f-532c00f34652