Siemens SENTRON 7KT PAC1260 Data Manager Unauthenticated Password Change Vulnerability via CSRF
Vulnerability
A vulnerability exists in the Siemens SENTRON 7KT PAC1260 Data Manager, all versions, allowing an unauthenticated attacker to change the login password through the web interface, without knowledge of the current password. This vulnerability can be exploited in conjunction with a Cross-Site Request Forgery (CSRF) attack, as detailed in CVE-2024-41795, to set the password to a value controlled by the attacker.
Impact
Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized access to the device.
Remediation
Siemens recommends replacing the SENTRON 7KT PAC1260 Data Manager with the SENTRON 7KT PAC1261 Data Manager and updating to the latest available firmware version. The new model 7KT1261 is available through the Siemens Industry Mall. For further inquiries on security vulnerabilities in Siemens products, contact Siemens ProductCERT.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.