Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.5

Act Now9.8SSA-916916May 14, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

RUGGEDCOM CROSSBOW versions before V5.5 contain multiple security vulnerabilities including SQL injection (CWE-89) and unrestricted file upload (CWE-73) flaws. These vulnerabilities allow unauthenticated attackers to execute arbitrary database queries, upload arbitrary files to the server, or bypass access controls (CWE-862). The vulnerabilities could result in unauthorized data access, data modification, or system availability impact. Siemens has released RUGGEDCOM CROSSBOW V5.5 with fixes for these issues.

What this means

What could happen

An attacker could inject malicious SQL commands to access or modify the device database, or upload arbitrary files that could compromise the application and disrupt network management functions. High availability impact is likely.

Who's at risk

Network and IT managers running RUGGEDCOM CROSSBOW as a management platform for industrial routers and network infrastructure in electrical utilities, water authorities, and manufacturing plants should prioritize this update. The vulnerability affects the central management server that controls routing and connectivity for critical OT devices.

How it could be exploited

An attacker with network access to the RUGGEDCOM CROSSBOW application could craft malicious SQL injection payloads in application input fields to execute arbitrary database queries, or send specially crafted file uploads to write unauthorized files to the application server. No authentication is required.

Prerequisites

Network access to the RUGGEDCOM CROSSBOW web application port
No valid credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects critical management infrastructuremultiple vulnerability types

Exploitability

Moderate exploit probability (EPSS 2.6%)

Affected products (1)

ProductAffected VersionsFix Status

RUGGEDCOM CROSSBOW<V5.55.5

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM CROSSBOW to version 5.5 or later

CVEs (9)

CVE-2024-27939 CVE-2024-27940 CVE-2024-27941 CVE-2024-27942 CVE-2024-27943 CVE-2024-27944 CVE-2024-27945 CVE-2024-27946 CVE-2024-27947

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5dfb72d4-c14a-4fd2-992f-081fe60a9404