Local Privilege Escalation Vulnerability in Spectrum Power 7 Before V24Q3
Plan Patch7.8SSA-616032Nov 12, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Spectrum Power 7 before V24Q3 contains several root-owned SUID binaries that allow an authenticated local attacker to escalate privileges to root. This could enable unauthorized control or modification of power system functions managed by the software.
What this means
What could happen
An authenticated user with local access to a Spectrum Power 7 system could escalate their privileges to root, potentially gaining control over power generation, distribution, or monitoring capabilities that the system manages.
Who's at risk
This impacts electricity utilities and energy infrastructure operators running Siemens Spectrum Power 7 for power system monitoring, control, and management. Any organization using this software on operational systems should prioritize this fix.
How it could be exploited
An attacker with a valid local account on the Spectrum Power 7 server would exploit root-owned SUID (Set User ID) binaries to escalate privileges. Once they achieve root access, they could modify system configurations, access sensitive data, or manipulate the power system functions that Spectrum Power 7 controls.
Prerequisites
- Valid local user account on the Spectrum Power 7 system
- Local shell or console access to the affected system
- System running Spectrum Power 7 version before V24Q3
Local access requiredLow complexity exploitationAffects critical infrastructureHigh privilege escalation potential
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Spectrum Power 7All versions < V24Q324Q3
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Spectrum Power 7 to version V24Q3 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/452d4289-235d-45a3-89a7-ddf51e6e28a6