A vulnerability was found in Siemens Spectrum Power 4, Spectrum Power 7 and Spectrum Power MGMS (version unknown). It has been rated as critical. This issue affects an unknown function of the component Shared HIS. The manipulation with an unknown input leads to a hard-coded credentials vulnerability. Using CWE to declare the problem leads to CWE-798. The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

A vulnerability has been identified in Spectrum Power 4 (All versions using Shared HIS), Spectrum Power 7 (All versions using Shared HIS), Spectrum Power MGMS (All versions using Shared HIS). An unauthenticated attacker could log into the component Shared HIS used in Spectrum Power systems by using an account with default credentials. A successful exploitation could allow the attacker to access the component Shared HIS with administrative privileges.

The weakness was presented 06/15/2022 as ssa-388239. The advisory is shared at cert-portal.siemens.com. The identification of this vulnerability is CVE-2022-26476 since 03/04/2022. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 06/15/2022). MITRE ATT&CK project uses the attack technique T1110.001 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Vendor

• Siemens

Name

• Spectrum Power 4
• Spectrum Power 7
• Spectrum Power MGMS

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion