Vulnerabilities > CVE-2021-33728 - Deserialization of Untrusted Data vulnerability in Siemens Sinec NMS 1.0

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

siemens

CWE-502

NVD

Published: 2021-10-12

Updated: 2021-10-18

Summary

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary code on the device with root privileges.

Vulnerable Configurations

Part	Description	Count
Application	Siemens Siemens Sinec NMS 1.0 Siemens Sinec NMS *	4

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf