Description
A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmdshell feature unauthenticated remote attackers could execute custom OS commands. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.
References (1)
Core 1
Core References
Patch, Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-849072.pdf
Scores
CVSS v3
9.8
EPSS
0.0068
EPSS Percentile
71.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-319
Status
published
Products (1)
siemens/sicam_pas\/pqs
< 7.0
Published
Dec 13, 2022
Tracked Since
Feb 18, 2026