OTPulse
FeedAboutContact

Redfish Server Vulnerability in maxView Storage Manager

Act Now10SSA-702935Jan 9, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

MaxView Storage Manager contains a Redfish Server Vulnerability in input validation (CWE-20) that allows unauthenticated remote attackers to gain unauthorized administrative access to the storage management interface. This affects SIMATIC IPC1047E, IPC647E, and IPC847E systems running maxView Storage Manager versions prior to V4.14.00.26068 on Windows. The vulnerability has a CVSS score of 10.0 with network-based attack vector, low attack complexity, no privileges required, and no user interaction needed.

What this means
What could happen
An attacker with network access to the Redfish API could gain unauthorized administrative access to the storage manager, potentially allowing them to modify storage configurations, access sensitive data, or interfere with industrial processes that depend on the storage system.
Who's at risk
Operators and maintainers of Siemens SIMATIC IPC industrial PCs (models IPC1047E, IPC647E, IPC847E) that run maxView Storage Manager for local or networked storage management should prioritize this update. These systems are commonly used in manufacturing, process automation, and utility environments where storage integrity is critical to operations.
How it could be exploited
An attacker on the network sends unauthenticated requests to the Redfish API endpoint (typically port 5040 or similar on the IPC) without valid credentials. The vulnerability in input validation allows the attacker to bypass authentication checks and gain full administrative access to the storage manager.
Prerequisites
  • Network access to the Redfish API port on the SIMATIC IPC (default or configured port)
  • No authentication credentials required
Remotely exploitableNo authentication requiredLow complexityCritical CVSS score (10.0)Affects storage management and data integrity
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (3)
3 pending
ProductAffected VersionsFix Status
SIMATIC IPC1047EAll versions with maxView Storage Manager < V4.14.00.26068 on WindowsNo fix yet
SIMATIC IPC647EAll versions with maxView Storage Manager < V4.14.00.26068 on WindowsNo fix yet
SIMATIC IPC847EAll versions with maxView Storage Manager < V4.14.00.26068 on WindowsNo fix yet
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate maxView Storage Manager to version V4.14.00.26068 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0e89f8e3-9dcd-43f8-82f7-7ac1d36617e5
Redfish Server Vulnerability in maxView Storage Manager | CVSS 10 - OTPulse