Christian Hager

**Name of the Vulnerable Software and Affected Versions** Wertheim SafeController Software version 6.15.8328.28014 **Description** An incorrect authorization issue exists in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, such as activating boxes outside of their authorized branch. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wertheim SafeController 5400 version 6.11.8130.22320 **Description** The device uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path can sniff RS-485 messages and replay previously observed messages. This allows for the spoofing of messages, such as a "quit alarm" message, to continuously deactivate the safe alarm. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319 **Description** The software uses weak custom cryptographic algorithms and hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt data traffic. It is possible to break the encryption/decryption routine to decrypt messages without the encryption key or intercept sufficient messages to discover the key itself. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified that involves the use of hard-coded credentials in the firmware of the affected devices. This could allow an attacker with direct physical access to exploit the vulnerability for UART console login to the device, potentially leading to privilege escalation. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the devices until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified that involves an exposed UART console login interface. This issue could allow an attacker with direct physical access to attempt bruteforcing or cracking the root password to gain login access to the device. The vulnerability is related to the web server software of the Siemens SICAM processor control modules, specifically affecting the CP-8031 and CP-8050 models. Exploitation of this vulnerability may enable an attacker to elevate their privileges to the root level. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, consider restricting physical access to the device to prevent potential bruteforcing or password cracking attempts until a patch or update is available. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, consider restricting physical access to the device to prevent potential bruteforcing or password cracking attempts until a patch or update is available. As a temporary workaround, consider disabling the UART console login interface on both CP-8031 and CP-8050 MASTER MODULEs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified in the web interface of affected devices due to missing server-side input sanitation, making it vulnerable to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface of affected devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** The issue is related to insufficient argument checking in the web server of the Siemens SICAM CP-8031 and CP-8050 processor control modules. This can be exploited by a remote attacker to execute arbitrary commands via the web server port 443/tcp if the `Remote Operation` parameter is enabled. By default, the `Remote Operation` parameter is disabled. The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider disabling the `Remote Operation` parameter to minimize the risk of exploitation.