Steffen Robertz

Name of the Vulnerable Software and Affected Versions: KioSoft "Stored Value" Unattended Payment Solutions (affected versions not specified) Description: KioSoft "Stored Value" Unattended Payment Solutions utilize vulnerable NFC cards. An attacker could potentially modify the balance on these cards, leading to unauthorized funds. The account balance is stored on an insecure MiFare Classic NFC card and can be read and written. By analyzing card dumps, attackers can identify the cash value field and a checksum calculated by XOR-ing the cash value with an unknown field. Manipulating these fields allows for arbitrary amounts of money to be added to the card, up to a limit of $655.35. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SIPROTEC 5 6MD84 (CP300) (All versions) SIPROTEC 5 6MD85 (CP200) (All versions) SIPROTEC 5 6MD85 (CP300) (All versions) SIPROTEC 5 6MD86 (CP200) (All versions) SIPROTEC 5 6MD86 (CP300) (All versions) SIPROTEC 5 6MD89 (CP300) (All versions) SIPROTEC 5 6MU85 (CP300) (All versions) SIPROTEC 5 7KE85 (CP200) (All versions) SIPROTEC 5 7KE85 (CP300) (All versions) SIPROTEC 5 7SA82 (CP100) (All versions) SIPROTEC 5 7SA82 (CP150) (All versions) SIPROTEC 5 7SA86 (CP200) (All versions) SIPROTEC 5 7SA86 (CP300) (All versions) SIPROTEC 5 7SA87 (CP200) (All versions) SIPROTEC 5 7SA87 (CP300) (All versions) SIPROTEC 5 7SD82 (CP100) (All versions) SIPROTEC 5 7SD82 (CP150) (All versions) SIPROTEC 5 7SD86 (CP200) (All versions) SIPROTEC 5 7SD86 (CP300) (All versions) SIPROTEC 5 7SD87 (CP200) (All versions) SIPROTEC 5 7SD87 (CP300) (All versions) SIPROTEC 5 7SJ81 (CP100) (All versions) SIPROTEC 5 7SJ81 (CP150) (All versions) SIPROTEC 5 7SJ82 (CP100) (All versions) SIPROTEC 5 7SJ82 (CP150) (All versions) SIPROTEC 5 7SJ85 (CP200) (All versions) SIPROTEC 5 7SJ85 (CP300) (All versions) SIPROTEC 5 7SJ86 (CP200) (All versions) SIPROTEC 5 7SJ86 (CP300) (All versions) SIPROTEC 5 7SK82 (CP100) (All versions) SIPROTEC 5 7SK82 (CP150) (All versions) SIPROTEC 5 7SK85 (CP200) (All versions) SIPROTEC 5 7SK85 (CP300) (All versions) SIPROTEC 5 7SL82 (CP100) (All versions) SIPROTEC 5 7SL82 (CP150) (All versions) SIPROTEC 5 7SL86 (CP200) (All versions) SIPROTEC 5 7SL86 (CP300) (All versions) SIPROTEC 5 7SL87 (CP200) (All versions) SIPROTEC 5 7SL87 (CP300) (All versions) SIPROTEC 5 7SS85 (CP200) (All versions) SIPROTEC 5 7SS85 (CP300) (All versions) SIPROTEC 5 7ST85 (CP200) (All versions) SIPROTEC 5 7ST85 (CP300) (All versions) SIPROTEC 5 7ST86 (CP300) (All versions) SIPROTEC 5 7SX82 (CP150) (All versions) SIPROTEC 5 7SX85 (CP300) (All versions) SIPROTEC 5 7SY82 (CP150) (All versions) SIPROTEC 5 7UM85 (CP300) (All versions) SIPROTEC 5 7UT82 (CP100) (All versions) SIPROTEC 5 7UT82 (CP150) (All versions) SIPROTEC 5 7UT85 (CP200) (All versions) SIPROTEC 5 7UT85 (CP300) (All versions) SIPROTEC 5 7UT86 (CP200) (All versions) SIPROTEC 5 7UT86 (CP300) (All versions) SIPROTEC 5 7UT87 (CP200) (All versions) SIPROTEC 5 7UT87 (CP300) (All versions) SIPROTEC 5 7VE85 (CP300) (All versions) SIPROTEC 5 7VK87 (CP200) (All versions) SIPROTEC 5 7VK87 (CP300) (All versions) SIPROTEC 5 7VU85 (CP300) (All versions) SIPROTEC 5 Compact 7SX800 (CP050) (All versions) Description: The affected devices do not encrypt certain data within the on-board flash storage on their PCB. This could allow an attacker with physical access to read the entire filesystem of the device. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SIPROTEC 5 6MD84 (CP300) versions prior to V9.90 SIPROTEC 5 6MD85 (CP200) versions prior to V9.90 SIPROTEC 5 6MD85 (CP300) versions prior to V9.90 SIPROTEC 5 6MD86 (CP200) versions prior to V9.90 SIPROTEC 5 6MD86 (CP300) versions prior to V9.90 SIPROTEC 5 6MD89 (CP300) versions prior to V9.90 SIPROTEC 5 6MU85 (CP300) versions prior to V9.90 SIPROTEC 5 7KE85 (CP200) versions prior to V9.90 SIPROTEC 5 7KE85 (CP300) versions prior to V9.90 SIPROTEC 5 7SA82 (CP100) versions prior to V9.90 SIPROTEC 5 7SA82 (CP150) versions prior to V9.90 SIPROTEC 5 7SA86 (CP200) versions prior to V9.90 SIPROTEC 5 7SA86 (CP300) versions prior to V9.90 SIPROTEC 5 7SA87 (CP200) versions prior to V9.90 SIPROTEC 5 7SA87 (CP300) versions prior to V9.90 SIPROTEC 5 7SD82 (CP100) versions prior to V9.90 SIPROTEC 5 7SD82 (CP150) versions prior to V9.90 SIPROTEC 5 7SD86 (CP200) versions prior to V9.90 SIPROTEC 5 7SD86 (CP300) versions prior to V9.90 SIPROTEC 5 7SD87 (CP200) versions prior to V9.90 SIPROTEC 5 7SD87 (CP300) versions prior to V9.90 SIPROTEC 5 7SJ81 (CP100) versions prior to V9.90 SIPROTEC 5 7SJ81 (CP150) versions prior to V9.90 SIPROTEC 5 7SJ82 (CP100) versions prior to V9.90 SIPROTEC 5 7SJ82 (CP150) versions prior to V9.90 SIPROTEC 5 7SJ85 (CP200) versions prior to V9.90 SIPROTEC 5 7SJ85 (CP300) versions prior to V9.90 SIPROTEC 5 7SJ86 (CP200) versions prior to V9.90 SIPROTEC 5 7SJ86 (CP300) versions prior to V9.90 SIPROTEC 5 7SK82 (CP100) versions prior to V9.90 SIPROTEC 5 7SK82 (CP150) versions prior to V9.90 SIPROTEC 5 7SK85 (CP200) versions prior to V9.90 SIPROTEC 5 7SK85 (CP300) versions prior to V9.90 SIPROTEC 5 7SL82 (CP100) versions prior to V9.90 SIPROTEC 5 7SL82 (CP150) versions prior to V9.90 SIPROTEC 5 7SL86 (CP200) versions prior to V9.90 SIPROTEC 5 7SL86 (CP300) versions prior to V9.90 SIPROTEC 5 7SL87 (CP200) versions prior to V9.90 SIPROTEC 5 7SL87 (CP300) versions prior to V9.90 SIPROTEC 5 7SS85 (CP200) versions prior to V9.90 SIPROTEC 5 7SS85 (CP300) versions prior to V9.90 SIPROTEC 5 7ST85 (CP200) versions prior to V9.90 SIPROTEC 5 7ST85 (CP300) versions prior to V9.90 SIPROTEC 5 7ST86 (CP300) versions prior to V9.90 SIPROTEC 5 7SX82 (CP150) versions prior to V9.90 SIPROTEC 5 7SX85 (CP300) versions prior to V9.90 SIPROTEC 5 7SY82 (CP150) versions prior to V9.90 SIPROTEC 5 7UM85 (CP300) versions prior to V9.90 SIPROTEC 5 7UT82 (CP100) versions prior to V9.90 SIPROTEC 5 7UT82 (CP150) versions prior to V9.90 SIPROTEC 5 7UT85 (CP200) versions prior to V9.90 SIPROTEC 5 7UT85 (CP300) versions prior to V9.90 SIPROTEC 5 7UT86 (CP200) versions prior to V9.90 SIPROTEC 5 7UT86 (CP300) versions prior to V9.90 SIPROTEC 5 7UT87 (CP200) versions prior to V9.90 SIPROTEC 5 7UT87 (CP300) versions prior to V9.90 SIPROTEC 5 7VE85 (CP300) versions prior to V9.90 SIPROTEC 5 7VK87 (CP200) versions prior to V9.90 SIPROTEC 5 7VK87 (CP300) versions prior to V9.90 SIPROTEC 5 7VU85 (CP300) versions prior to V9.90 SIPROTEC 5 Compact 7SX800 (CP050) versions prior to V9.90 Description: The affected devices do not properly limit access to a development shell accessible over a physical interface. This could allow an unauthenticated attacker with physical access to the device to execute arbitrary commands on the device. Recommendations: For SIPROTEC 5 6MD84 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 6MD85 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 6MD85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 6MD86 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 6MD86 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 6MD89 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 6MU85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7KE85 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7KE85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SA82 (CP100) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SA82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SA86 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SA86 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SA87 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SA87 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SD82 (CP100) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SD82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SD86 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SD86 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SD87 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SD87 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ81 (CP100) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ81 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ82 (CP100) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ85 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ86 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SJ86 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SK82 (CP100) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SK82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SK85 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SK85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SL82 (CP100) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SL82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SL86 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SL86 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SL87 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SL87 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SS85 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SS85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7ST85 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7ST85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7ST86 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SX82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SX85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7SY82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UM85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT82 (CP100) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT82 (CP150) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT85 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT86 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT86 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT87 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7UT87 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7VE85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7VK87 (CP200) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7VK87 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 7VU85 (CP300) versions prior to V9.90, update to version V9.90 or later. For SIPROTEC 5 Compact 7SX800 (CP050) versions prior to V9.90, update to version V9.90 or later.

Name of the Vulnerable Software and Affected Versions: Wattsense Bridge versions prior to 6.1.0 Description: An authenticated attacker can use the Plugin Manager of the web interface to upload malicious Python files, enabling remote root access to the device. The attacker needs a valid user account on the Wattsense web interface to conduct this attack. Recommendations: For versions prior to 6.1.0, update to a firmware version BSP >= 6.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the Plugin Manager or disabling the upload of Python files until the update is applied.

Name of the Vulnerable Software and Affected Versions: Wattsense Bridge devices versions prior to BSP 6.4.1 Description: A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. Recommendations: For versions prior to BSP 6.4.1, update to a recent firmware version BSP >= 6.4.1 to resolve the issue. As a temporary workaround, consider restricting physical access to the PCB of Wattsense Bridge devices to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Wattsense Bridge (affected versions not specified) Description: The issue allows access to the JTAG interface of Wattsense Bridge devices through physical access to the PCB. After connecting to the interface, full access to the device is possible, enabling an attacker to extract information, modify, and debug the device's firmware. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Wattsense Bridge versions prior to 6.4.1 Description: The firmware of all Wattsense Bridge devices contains the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. Recommendations: For Wattsense Bridge versions prior to 6.4.1, update the firmware to version 6.4.1 or later to remove the backdoor user and hard-coded credentials. As a temporary workaround, consider restricting access to the serial interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SIPROTEC 5 6MD84 (CP300) versions prior to V9.80 SIPROTEC 5 6MD85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 6MD86 (CP300) versions 7.80 through 9.79 SIPROTEC 5 6MD89 (CP300) versions 7.80 through 9.89 SIPROTEC 5 6MU85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7KE85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SA82 (CP100) versions 7.80 and later SIPROTEC 5 7SA82 (CP150) versions prior to V9.80 SIPROTEC 5 7SA86 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SA87 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SD82 (CP100) versions 7.80 and later SIPROTEC 5 7SD82 (CP150) versions prior to V9.80 SIPROTEC 5 7SD86 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SD87 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SJ81 (CP100) versions 7.80 and later SIPROTEC 5 7SJ81 (CP150) versions prior to V9.80 SIPROTEC 5 7SJ82 (CP100) versions 7.80 and later SIPROTEC 5 7SJ82 (CP150) versions prior to V9.80 SIPROTEC 5 7SJ85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SJ86 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SK82 (CP100) versions 7.80 and later SIPROTEC 5 7SK82 (CP150) versions prior to V9.80 SIPROTEC 5 7SK85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SL82 (CP100) versions 7.80 and later SIPROTEC 5 7SL82 (CP150) versions prior to V9.80 SIPROTEC 5 7SL86 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SL87 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7SS85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7ST85 (CP300) versions prior to V9.80 SIPROTEC 5 7ST86 (CP300) versions prior to V9.80 SIPROTEC 5 7SX82 (CP150) versions prior to V9.80 SIPROTEC 5 7SX85 (CP300) versions prior to V9.80 SIPROTEC 5 7SY82 (CP150) versions prior to V9.80 SIPROTEC 5 7UM85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7UT82 (CP100) versions 7.80 and later SIPROTEC 5 7UT82 (CP150) versions prior to V9.80 SIPROTEC 5 7UT85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7UT86 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7UT87 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7VE85 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7VK87 (CP300) versions 7.80 through 9.79 SIPROTEC 5 7VU85 (CP300) versions prior to V9.80 SIPROTEC 5 Compact 7SX800 (CP050) versions prior to V9.80 **Description** The affected devices do not properly limit the path accessible via their webserver, allowing an authenticated remote attacker to read arbitrary files from the filesystem of affected devices. **Recommendations** For SIPROTEC 5 6MD84 (CP300) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 6MD85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 6MD86 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 6MD89 (CP300) versions 7.80 through 9.89, update to version V9.90 or later. For SIPROTEC 5 6MU85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7KE85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SA82 (CP100) versions 7.80 and later, restrict access to the webserver until a patch is available. For SIPROTEC 5 7SA82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SA86 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SA87 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SD82 (CP100) versions 7.80 and later, restrict access to the webserver until a patch is available. For SIPROTEC 5 7SD82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SD86 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SD87 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SJ81 (CP100) versions 7.80 and later, restrict access to the webserver until a patch is available. For SIPROTEC 5 7SJ81 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SJ82 (CP100) versions 7.80 and later, restrict access to the webserver until a patch is available. For SIPROTEC 5 7SJ82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SJ85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SJ86 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SK82 (CP100) versions 7.80 and later, restrict access to the webserver until a patch is available. For SIPROTEC 5 7SK82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SK85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SL82 (CP100) versions 7.80 and later, restrict access to the webserver until a patch is available. For SIPROTEC 5 7SL82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SL86 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SL87 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7SS85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7ST85 (CP300) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7ST86 (CP300) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SX82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SX85 (CP300) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7SY82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7UM85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7UT82 (CP100) versions 7.80 and later, restrict access to the webserver until a patch is available. For SIPROTEC 5 7UT82 (CP150) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 7UT85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7UT86 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7UT87 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7VE85 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7VK87 (CP300) versions 7.80 through 9.79, update to version V9.80 or later. For SIPROTEC 5 7VU85 (CP300) versions prior to V9.80, update to version V9.80 or later. For SIPROTEC 5 Compact 7SX800 (CP050) versions prior to V9.80, update to version V9.80 or later.

Name of the Vulnerable Software and Affected Versions: CPCI85 Central Processing/Communication versions prior to V05.30 Description: A vulnerability has been identified in the CPCI85 Central Processing/Communication devices. The affected devices contain a secure element connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files. Recommendations: For versions prior to V05.30, consider restricting physical access to the SPI bus as a temporary mitigation measure until a patch is available. Additionally, avoid using the secure element for authentication until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CPCI85 Central Processing/Communication versions prior to V5.40 SICORE Base system versions prior to V1.4.0 Description: A vulnerability has been identified that allows a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware of the device. This could allow an attacker to downgrade the device to older versions with known vulnerabilities. The issue is related to the lack of authentication for a critical function, which can be exploited by a remote attacker to lower the device's firmware version. Recommendations: For CPCI85 Central Processing/Communication versions prior to V5.40, update to version V5.40 or later to resolve the issue. For SICORE Base system versions prior to V1.4.0, update to version V1.4.0 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the devices and limiting remote access to authenticated users only until a patch is applied.

Name of the Vulnerable Software and Affected Versions: OPUPI0 AMQP/MQTT versions prior to V5.30 Description: A vulnerability has been identified that allows an attacker with remote shell access or physical access to retrieve credentials due to insufficient protection of stored MQTT client passwords, leading to confidentiality loss. The issue is related to the storage of confidential information without encryption. Recommendations: For versions prior to V5.30, update to version V5.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the device to minimize the risk of exploitation. Avoid using the device until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: CPCI85 Central Processing/Communication versions prior to V5.30 SICORE Base system versions prior to V1.3.0 Description: A command injection vulnerability exists due to missing server-side input sanitation in the web interface of affected devices. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. Recommendations: For CPCI85 Central Processing/Communication versions prior to V5.30, update to version V5.30 or later. For SICORE Base system versions prior to V1.3.0, update to version V1.3.0 or later. As a temporary workaround, consider restricting access to the web interface of affected devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CPC80 Central Processing/Communication versions prior to V16.41 CPCI85 Central Processing/Communication versions prior to V5.30 CPCX26 Central Processing/Communication versions prior to V06.02 ETA4 Ethernet Interface IEC60870-5-104 versions prior to V10.46 ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions prior to V03.27 PCCX26 Ax 1703 PE, Contr, Communication Element versions prior to V06.05 **Description** A vulnerability has been identified in the affected devices, which contain an improper null termination issue while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to a denial of service condition. The vulnerability is related to errors in null termination when analyzing a particular HTTP header, which may enable an attacker to execute arbitrary code or cause a service denial. **Recommendations** For CPC80 Central Processing/Communication versions prior to V16.41, update to version V16.41 or later. For CPCI85 Central Processing/Communication versions prior to V5.30, update to version V5.30 or later. For CPCX26 Central Processing/Communication versions prior to V06.02, update to version V06.02 or later. For ETA4 Ethernet Interface IEC60870-5-104 versions prior to V10.46, update to version V10.46 or later. For ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions prior to V03.27, update to version V03.27 or later. For PCCX26 Ax 1703 PE, Contr, Communication Element versions prior to V06.05, update to version V06.05 or later. As a temporary workaround, consider restricting access to the vulnerable HTTP header until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SIMCom SIM7600G modem (affected versions not specified) **Description** The issue concerns an undocumented AT command in the SIMCom SIM7600G modem, allowing an attacker to execute system commands with root permission on the modem. This can be achieved with either physical access or remote shell access to a device that interacts directly with the modem via AT commands. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified in the web interface of affected devices due to missing server-side input sanitation, making it vulnerable to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface of affected devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified that involves the use of hard-coded credentials in the firmware of the affected devices. This could allow an attacker with direct physical access to exploit the vulnerability for UART console login to the device, potentially leading to privilege escalation. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the devices until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** A vulnerability has been identified that involves an exposed UART console login interface. This issue could allow an attacker with direct physical access to attempt bruteforcing or cracking the root password to gain login access to the device. The vulnerability is related to the web server software of the Siemens SICAM processor control modules, specifically affecting the CP-8031 and CP-8050 models. Exploitation of this vulnerability may enable an attacker to elevate their privileges to the root level. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, consider restricting physical access to the device to prevent potential bruteforcing or password cracking attempts until a patch or update is available. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, consider restricting physical access to the device to prevent potential bruteforcing or password cracking attempts until a patch or update is available. As a temporary workaround, consider disabling the UART console login interface on both CP-8031 and CP-8050 MASTER MODULEs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DG3450 Cable Gateway version AR01.02.056.18 041520 711.NCS.10 **Description** An issue was discovered in the log file download functionality of the troubleshooting logs download.php file, which does not check the session cookie. This allows an attacker to download all log files. **Recommendations** For DG3450 Cable Gateway version AR01.02.056.18 041520 711.NCS.10, consider restricting access to the troubleshooting logs download.php file until a patch is available. As a temporary workaround, restrict the download functionality to only authenticated and authorized sessions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CommScope Arris DG3450 Cable Gateway version AR01.02.056.18 041520 711.NCS.10 **Description** A reflected XSS issue was discovered in the "https redirect.php" web page via the `page` parameter. This allows for potential malicious script execution. **Recommendations** For version AR01.02.056.18 041520 711.NCS.10, as a temporary workaround, consider restricting access to the "https redirect.php" web page until a patch is available. Avoid using the `page` parameter in the affected web page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** CP-8031 MASTER MODULE versions prior to CPCI85 V05 CP-8050 MASTER MODULE versions prior to CPCI85 V05 **Description** The issue is related to insufficient argument checking in the web server of the Siemens SICAM CP-8031 and CP-8050 processor control modules. This can be exploited by a remote attacker to execute arbitrary commands via the web server port 443/tcp if the `Remote Operation` parameter is enabled. By default, the `Remote Operation` parameter is disabled. The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device. **Recommendations** For CP-8031 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05, update to version CPCI85 V05 or later to resolve the issue. As a temporary workaround, consider disabling the `Remote Operation` parameter to minimize the risk of exploitation.