Use of Hard-Coded Credentials Vulnerability in Location Intelligence before V4.3
Act Now9.8SSA-580228Feb 13, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Location Intelligence before V4.3 contains hard-coded administrative credentials that allow any attacker with network access to the application to obtain full administrative privileges without supplying valid user credentials. This grants complete control over the application, including the ability to modify operational data, disable monitoring, or alter system behavior.
What this means
What could happen
An attacker with network access could use hard-coded credentials to gain full administrative access to Location Intelligence, allowing them to modify data, disable monitoring, or disrupt location-based decision-making in your operations.
Who's at risk
Organizations running Siemens Location Intelligence in any deployment size (Large, Medium, Small, or Non-Prod) should prioritize this update. Location Intelligence is used for real-time asset tracking and geographic decision-making in utilities and industrial operations; compromise could disrupt situational awareness and operational coordination.
How it could be exploited
An attacker would access the Location Intelligence application over the network, use the hard-coded administrative credentials to authenticate, and then modify application settings, data, or disable critical functions. This requires no special tools—just knowledge of the default credentials and network reachability to the application.
Prerequisites
- Network access to the Location Intelligence application interface
- Knowledge of the hard-coded administrative credentials (embedded in the software)
- No additional authentication factors beyond the default credentials
remotely exploitableno authentication required (hard-coded credentials)low complexityhigh CVSS score (9.8)
Exploitability
Moderate exploit probability (EPSS 1.9%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Location Intelligence Perpetual Large<V4.34.3
Location Intelligence Perpetual Medium<V4.34.3
Location Intelligence Perpetual Non-Prod<V4.34.3
Location Intelligence Perpetual Small<V4.34.3
Location Intelligence SUS Large<V4.34.3
Location Intelligence SUS Medium<V4.34.3
Location Intelligence SUS Non-Prod<V4.34.3
Location Intelligence SUS Small<V4.34.3
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Location Intelligence to version 4.3 or later via Siemens Online Software Delivery (OSD)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/48caec8a-37d2-43ae-92ac-3037da3283b1