Description
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). Affected devices do not perform authentication for several web API endpoints. This could allow an unauthenticated remote attacker to read and download data from the device.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://cert-portal.siemens.com/productcert/pdf/ssa-348662.pdf
Scores
CVSS v3
7.5
EPSS
0.0053
EPSS Percentile
67.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (6)
siemens/simatic_mv540_h_firmware
< 3.3
siemens/simatic_mv540_s_firmware
< 3.3
siemens/simatic_mv550_h_firmware
< 3.3
siemens/simatic_mv550_s_firmware
< 3.3
siemens/simatic_mv560_u_firmware
< 3.3
siemens/simatic_mv560_x_firmware
< 3.3
Published
Jul 12, 2022
Tracked Since
Feb 18, 2026