CVE-2020-11496

Name of the Vulnerable Software and Affected Versions Sprecher SPRECON-E versions prior to 8.64b

Description The issue is related to insufficient input validation in the firmware of the Sprecher SPRECON-E automation module. This allows a remote attacker to potentially execute arbitrary code. The firmware lacks validation of input values on the device side, which is typically provided by the engineering software during parameterization. As a result, an attacker with access to local configuration files can insert malicious commands that are executed after compiling them to valid parameter files, transferring them to the device, and restarting the device.

Recommendations For versions prior to 8.64b, update the firmware to version 8.64b or later to resolve the issue. As a temporary workaround, consider restricting access to local configuration files and engineering data to minimize the risk of exploitation. Additionally, avoid using unvalidated input values in the device's parameterization process until the issue is resolved.