CVE-2022-33139
CRITICALCerberus DMS, Desigo CC, Desigo CC Compact, SIMATIC WinCC OA - Unauthenticated User Impersonation
Title source: llmDescription
A vulnerability has been identified in Cerberus DMS (All versions), Desigo CC (All versions), Desigo CC Compact (All versions), SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration). Affected applications use client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated.
References (2)
Core 2
Core References
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-111512.pdf
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-836027.pdf
Scores
CVSS v3
9.8
EPSS
0.0041
EPSS Percentile
61.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-603
CWE-287
Status
published
Products (6)
siemens/cerberus_dms
siemens/desigo_cc
siemens/desigo_cc_compact
siemens/wincc_open_architecture
3.16
siemens/wincc_open_architecture
3.17
siemens/wincc_open_architecture
3.18
Published
Jun 21, 2022
Tracked Since
Feb 18, 2026