Local Privilege Escalation Vulnerability in Spectrum Power 7
Plan Patch7.8SSA-786191Jan 9, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Spectrum Power 7 contains an authenticated local privilege escalation vulnerability (CWE-732) that allows an attacker with a user account to inject arbitrary code and gain root access on the system. Siemens has released version 23Q4 as a fix.
What this means
What could happen
An authenticated local attacker could run arbitrary code with root privileges on Spectrum Power 7, potentially altering power system configurations, monitoring data, or disrupting energy management functions.
Who's at risk
Energy utilities operating Spectrum Power 7 for energy management, SCADA monitoring, or grid control systems. This affects organizations using any version prior to 23Q4 of Spectrum Power 7.
How it could be exploited
An attacker with a local account on a Spectrum Power 7 system could inject malicious code through a privilege escalation weakness in the application. Once executed, the attacker would gain root-level access to the server, allowing them to modify critical power system parameters or disrupt operations.
Prerequisites
- Local access to a Spectrum Power 7 system
- Valid user account credentials (non-administrative)
Local access requiredAuthentication requiredLow complexity attackHigh severity privilege escalationAffects energy management systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Spectrum Power 7All versions < V23Q423Q4
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Spectrum Power 7 to version 23Q4 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/54e97ede-1b37-46d6-8834-6c799b754388