Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impact to Siemens Products
Act Now9.8SSA-254054Apr 19, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Spring Framework (CVE-2022-22965, known as Spring4Shell or SpringShell) allows remote unauthenticated attackers to execute arbitrary code on vulnerable Siemens products. The flaw is in input validation that permits attackers to write malicious files to the web application using Java reflection techniques. Affected products include Operation Scheduler, SIMATIC Speech Assistant for Machines, SINEC NMS, SiPass integrated, and Siveillance Identity. The vulnerability has been actively exploited in the wild.
What this means
What could happen
An unauthenticated attacker on your network can execute arbitrary commands on Siemens enterprise management and building control systems by exploiting a Spring Framework input validation flaw. This could allow them to take control of identity systems, access control platforms, network management tools, or machine communication systems.
Who's at risk
IT managers operating Siemens enterprise systems should prioritize this: Operation Scheduler, SINEC NMS (network management), Siveillance Identity (building access control), SiPass integrated (physical security), and SIMATIC Speech Assistant for Machines. If you use any of these products, especially for access control, network management, or identity services, your systems are at risk.
How it could be exploited
An attacker sends a specially crafted HTTP request (without authentication) to a vulnerable Spring web application. The request bypasses input validation and uses Java reflection to write a malicious JSP file to the web server. The attacker then accesses the JSP to execute arbitrary code with the privileges of the application.
Prerequisites
- Network access to HTTP/HTTPS port of the vulnerable Siemens product
- The affected Siemens product must be running a vulnerable version of Spring Framework
- No authentication required
Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)Very high EPSS score (94.4%)No patch available for SiPass integrated V2.80 and V2.85Affects building access control and security systems
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (7)
5 with fix2 EOL
ProductAffected VersionsFix Status
Operation Scheduler< 2.0.42.0.4
SIMATIC Speech Assistant for Machines (SAM)< V1.2.11.2.1
SINEC NMS< V1.0.31.0.3
Siveillance Identity V1.5All versions1.5 SP4 and apply the patch
Siveillance Identity V1.6All versions1.6 SP1 and apply the patch
SiPass integrated V2.80All versionsNo fix (EOL)
SiPass integrated V2.85All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/6Operation Scheduler
HOTFIXUpdate Operation Scheduler to version 2.0.4 or later
SIMATIC Speech Assistant for Machines (SAM)
HOTFIXUpdate SIMATIC Speech Assistant for Machines (SAM) to version 1.2.1 or later (contact customer support for patch)
SINEC NMS
HOTFIXUpdate SINEC NMS to version 1.0.3 or later
Siveillance Identity V1.5
HOTFIXUpdate Siveillance Identity V1.5 to version 1.5 SP4 and apply the patch
Siveillance Identity V1.6
HOTFIXUpdate Siveillance Identity V1.6 to version 1.6 SP1 and apply the patch
SiPass integrated V2.80
WORKAROUNDFor SiPass integrated V2.80 and V2.85 (no patch available): isolate affected systems from untrusted networks and restrict HTTP/HTTPS access to trusted IPs only via firewall rules
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/79f1e412-4eb1-4c27-9512-a82b74f35670