OTPulse
FeedAboutContact

Local Code Execution Vulnerability in SENTRON powermanager V3

Plan Patch7.8SSA-537983Nov 9, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

SENTRON powermanager V3 contains a local code execution vulnerability with improper file permission handling (CWE-732) that allows a user with limited privileges to inject arbitrary code and escalate to system-level access. The vulnerability affects all versions of SENTRON powermanager V3 and is fixed in version 3.6 HF1 with an accompanying security patch.

What this means
What could happen
A local attacker with limited user privileges on the SENTRON powermanager system could execute arbitrary code and escalate to higher privileges, potentially gaining control over power distribution monitoring and management functions.
Who's at risk
Energy utilities and power distribution operators running SENTRON powermanager V3 for electrical distribution monitoring and management. This affects engineering workstations and centralized power management systems that monitor substation and facility electrical parameters.
How it could be exploited
An attacker with local access to the SENTRON powermanager workstation (e.g., engineering staff or compromised account) could exploit improper file permissions (CWE-732) to inject malicious code into the application, then escalate privileges to run commands with system-level access.
Prerequisites
  • Local access to the SENTRON powermanager V3 workstation
  • Limited user account credentials or ability to run code in user context
  • The vulnerable file permissions remain unpatched
Local access requiredLow complexity attackPrivilege escalation possibleAffects power distribution management
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
SENTRON powermanager V3All versions3.6 HF1 and apply the security patch
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SENTRON powermanager to version 3.6 HF1
HOTFIXApply the security patch released by Siemens for SENTRON powermanager V3.6 HF1
Long-term hardening
0/2
HARDENINGReview and restrict local access to the SENTRON powermanager workstation to engineering staff only
HARDENINGImplement proper file permission controls and audit local account access to the system
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/31bc760f-e09f-428d-a459-02b5ad277603
Local Code Execution Vulnerability in SENTRON powermanager V3 | CVSS 7.8 - OTPulse