OTPulse
FeedAboutContact

Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1

Plan Patch7.2SSA-555292May 9, 2023
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

SIMATIC Cloud Connect 7 versions prior to V2.1 contain multiple vulnerabilities affecting confidentiality, integrity, and availability. These include command injection (CWE-77), hardcoded credentials (CWE-259), path traversal (CWE-22), insecure deserialization (CWE-544), information disclosure (CWE-200), and insecure file permissions (CWE-552). Siemens has released version 2.1 with fixes for all affected models (CC712 and CC716).

What this means
What could happen
An attacker with administrative access to SIMATIC Cloud Connect 7 could potentially expose sensitive configuration data, modify operational settings, or cause the cloud connectivity service to become unavailable, disrupting remote monitoring and control of plant assets.
Who's at risk
Water and electric utilities using SIMATIC Cloud Connect 7 (models CC712 and CC716) for remote SCADA system monitoring and control. Affects organizations that rely on cloud-based connectivity for plant asset management and situational awareness from remote locations.
How it could be exploited
An attacker with high-level credentials (administrative access) could exploit multiple vulnerabilities including command injection, hardcoded credentials, path traversal, insecure deserialization, information disclosure, and insecure file permissions to gain control over the Cloud Connect 7 device. This could allow modification of cloud gateway configurations or extraction of sensitive data used for connectivity to remote systems.
Prerequisites
  • Administrative credentials for SIMATIC Cloud Connect 7
  • Network access to the Cloud Connect 7 management interface
High CVSS score (7.2)Requires administrative credentials (limits exposure)Multiple vulnerability classes (injection, credential, traversal, deserialization)
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00)< V2.12.1
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00)≥ V2.0< V2.12.1
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00)< V2.12.1
SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00)≥ V2.0< V2.12.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC Cloud Connect 7 (CC712 and CC716) to version 2.1 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8a0d97ee-ce27-4335-9f4f-7987c87431b4
Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1 | CVSS 7.2 - OTPulse