Multiple Vulnerabilities in SIMATIC MV500 Devices before V3.3

Plan Patch8SSA-348662Jul 12, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

SIMATIC MV500 devices before V3.3 are affected by two vulnerabilities: one allows attackers to hijack web-based management sessions of other users (CVE-2022-33137), and another allows unauthorized access to device data without authentication (CVE-2022-33138). Both stem from improper session management and missing authentication controls. Successful exploitation could allow unauthorized modification of device settings or exfiltration of configuration and monitoring data.

What this means

What could happen

An attacker with access to the management interface could steal another user's session and take control of the device settings, or read sensitive data without logging in. This could allow unauthorized changes to power quality monitoring or device configuration.

Who's at risk

Power quality monitoring equipment operators and engineering staff managing SIMATIC MV500 series devices (MV540 H/S, MV550 H/S, MV560 U/X models). This impacts organizations using these devices for voltage/frequency monitoring and data logging in electrical distribution systems.

How it could be exploited

An attacker with access to the device's web interface could craft a request to hijack an active user session (using broken session management) or directly access data endpoints without authentication. The attacker needs network access to the management port and, in one case, knowledge of an active legitimate user session.

Prerequisites

Network access to the SIMATIC MV500 web management interface (typically port 80/443)
For session hijacking: active legitimate user session on the device
For unauthenticated data access: no prerequisites beyond network reachability

remotely exploitablelow authentication requirementslow complexity attackaffects device management/configuration

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SIMATIC MV540 H< V3.33.3

SIMATIC MV540 S< V3.33.3

SIMATIC MV550 H< V3.33.3

SIMATIC MV550 S< V3.33.3

SIMATIC MV560 U< V3.33.3

SIMATIC MV560 X< V3.33.3

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SIMATIC MV500 devices to firmware version 3.3 or later

CVEs (2)

CVE-2022-33137 CVE-2022-33138

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/755488d4-ccdc-4712-b81c-7f32081e6f79