Authorization Bypass Vulnerability in Industrial Edge Management
Act Now10SSA-359713Sep 10, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Industrial Edge Management contains an authorization bypass vulnerability (CWE-639) that allows an unauthenticated remote attacker to impersonate other devices onboarded to the system without providing valid credentials. This affects Industrial Edge Management Pro versions below 1.9.5 and Industrial Edge Management Virtual versions below 2.3.1-1.
What this means
What could happen
An unauthenticated attacker can bypass authorization controls and impersonate legitimate edge devices connected to your Industrial Edge Management system, potentially allowing them to send unauthorized commands or collect data from your manufacturing network.
Who's at risk
Manufacturing operations using Siemens Industrial Edge Management to orchestrate edge computing devices and onboard industrial controllers. This affects any plant using Edge Management as a gateway or control hub for PLCs, sensors, or other field devices.
How it could be exploited
An attacker on the network sends a crafted request to the Industrial Edge Management server that bypasses authentication checks. The attacker then impersonates a legitimate onboarded device, gaining the permissions and access rights of that device without needing valid credentials.
Prerequisites
- Network access to the Industrial Edge Management system (port 443 or management port)
- No authentication credentials required
- Target Industrial Edge Management system must be reachable from attacker's network
remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 10)affects device management and orchestration
Exploitability
Moderate exploit probability (EPSS 1.8%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Industrial Edge Management Pro< V1.9.51.9.5
Industrial Edge Management VirtualAll versions < V2.3.1-12.3.1-1
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Industrial Edge Management Pro
HOTFIXUpdate Industrial Edge Management Pro to version 1.9.5 or later
Industrial Edge Management Virtual
HOTFIXUpdate Industrial Edge Management Virtual to version 2.3.1-1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5f155bc0-8980-4101-90af-c2c6800e3b32