Vulnerabilities > CVE-2022-33137 - Insufficient Session Expiration vulnerability in Siemens products

CVSS 8.0 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

siemens

CWE-613

NVD

Published: 2022-07-12

Updated: 2022-07-15

Summary

A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.

Vulnerable Configurations

Part	Description	Count
OS	Siemens Siemens Simatic Mv540 H Firmware * Siemens Simatic Mv540 S Firmware * Siemens Simatic Mv550 H Firmware * Siemens Simatic Mv550 S Firmware * Siemens Simatic Mv560 U Firmware * Siemens Simatic Mv560 X Firmware *	6
Hardware	Siemens Siemens Simatic Mv540 H - Siemens Simatic Mv540 S - Siemens Simatic Mv550 H - Siemens Simatic Mv550 S - Siemens Simatic Mv560 U - Siemens Simatic Mv560 X -	6

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf