Siemens POWER METER SICAM Q100 and Q200 Plain Text Password Storage Vulnerability

A vulnerability exists in certain POWER METER SICAM Q100 and Q200 devices, where the SMTP account password is stored in plain text. This issue affects POWER METER SICAM Q100 models 7KG9501-0AA01-0AA1, 7KG9501-0AA01-2AA1, 7KG9501-0AA31-0AA1, and 7KG9501-0AA31-2AA1, all versions from 2.60 up to but not including 2.62, as well as the POWER METER SICAM Q200 family, all versions from 2.70 up to but not including 2.80. The plain text storage of passwords could allow an authenticated local attacker to extract the password and misuse the SMTP service for various purposes.

Impact

Exploitation of this vulnerability could lead to unauthorized use of the SMTP service, potentially allowing for arbitrary email communications or other actions depending on the SMTP configuration.

Remediation

Siemens has released new versions for the affected products. POWER METER SICAM Q200 users should update to version 2.80 or later. For POWER METER SICAM Q100, consult the Siemens support portal for guidance on the latest available version.