Multiple Vulnerabilities in SINEC PNI before V2.0
Act Now9.8SSA-150063Nov 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SINEC PNI before version 2.0 contains multiple vulnerabilities related to improper input validation (CWE-20) and buffer overflow (CWE-787). These flaws allow unauthenticated remote attackers to execute arbitrary code or modify system behavior through crafted network requests. The vulnerabilities affect SINEC PNI's network communication and data handling components.
What this means
What could happen
An attacker with network access to SINEC PNI could execute arbitrary code or modify the system without authentication, potentially disrupting communication between your Siemens automation equipment and the network.
Who's at risk
Organizations using SINEC PNI for Siemens industrial network connectivity, including manufacturing plants, utilities, and infrastructure facilities that rely on SINEC for secure network communication between SCADA/PLC systems and enterprise networks.
How it could be exploited
An attacker on the network sends a crafted network request to SINEC PNI that exploits input validation or buffer overflow flaws (CWE-20, CWE-787). The system processes the malicious input without proper checks, allowing the attacker to execute code or alter system behavior.
Prerequisites
- Network access to SINEC PNI service port
- No authentication required
remotely exploitableno authentication requiredlow complexityhigh EPSS score (92.5%)affects critical industrial network communication
Exploitability
High exploit probability (EPSS 92.5%)
Affected products (1)
ProductAffected VersionsFix Status
SINEC PNI<V2.02.0
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate SINEC PNI to version 2.0 or later
CVEs (13)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c26ed2a6-0437-45d3-99a8-1b106a41b458