CVE-2023-46097

Name of the Vulnerable Software and Affected Versions SIMATIC PCS neo versions prior to V4.1

Description A vulnerability has been identified in the PUD Manager of SIMATIC PCS neo, where it does not properly neutralize user-provided inputs. This could allow an authenticated adjacent attacker to execute SQL statements in the underlying database. The issue is related to the lack of protection against SQL query structure exploitation, which may enable a remote attacker to execute arbitrary SQL queries to the database.

Recommendations For versions prior to V4.1, update to version V4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the PUD Manager to minimize the risk of exploitation. Avoid using user-provided inputs in the affected SQL queries until the issue is resolved.