Primary

Context

Siemens Desigo CC Missing Authentication Vulnerability Allowing Arbitrary SQL Execution

Vulnerability

A vulnerability exists in Siemens Desigo CC, affecting all versions, when access from Installed Clients to the Desigo CC server is permitted from networks outside a highly protected zone, or only allowed within such zones. The server application improperly authenticates certain client requests. An unauthenticated remote attacker could exploit this flaw, potentially after modifying the client binary, to execute arbitrary SQL queries on the server database through the event port (default 4998/tcp).

Impact

Exploitation of this vulnerability could lead to unauthorized execution of SQL queries on the server database, allowing for potential data manipulation or extraction.

Remediation

To address this vulnerability, disable support for Installed Clients on the Desigo CC server and restrict access to the event port (default 4998/tcp).

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

5.0

exploitability

7.0

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

5.0

exploitability

7.0

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Siemens Desigo CC Missing Authentication Vulnerability Allowing Arbitrary SQL Execution

Vulnerability

Impact

Remediation

Affected Products

Siemens Desigo CC

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating