CVE-2018-13804

HIGH

SIMATIC IT LMS and Production Suite - Improper Authentication

Title source: llm

Description

A vulnerability has been identified in SIMATIC IT LMS (All versions), SIMATIC IT Production Suite (Versions V7.1 < V7.1 Upd3), SIMATIC IT UA Discrete Manufacturing (Versions < V1.2), SIMATIC IT UA Discrete Manufacturing (Versions V1.2), SIMATIC IT UA Discrete Manufacturing (Versions V1.3), SIMATIC IT UA Discrete Manufacturing (Versions V2.3), SIMATIC IT UA Discrete Manufacturing (Versions V2.4). An attacker with network access to the installation could bypass the application-level authentication. In order to exploit the vulnerability, an attacker must obtain network access to an affected installation and must obtain a valid username to the system. Successful exploitation requires no user privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system. At the time of advisory publication no public exploitation of this vulnerability was known.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://cert-portal.siemens.com/productcert/pdf/ssa-886615.pdf

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105924

Scores

CVSS v3 8.1

EPSS 0.0338

EPSS Percentile 87.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (6)

siemens/simatic_it_line_monitoring_system

siemens/simatic_it_production_suite v7.1

siemens/simatic_it_ua_discrete_manufacturing v1.3

siemens/simatic_it_ua_discrete_manufacturing v2.3

siemens/simatic_it_ua_discrete_manufacturing v2.4

siemens/simatic_it_ua_discrete_manufacturing < v1.2

Published Dec 13, 2018

Tracked Since Feb 18, 2026