PatchSiren cyber security CVE debrief
CVE-2023-28260 Siemens CVE debrief
CVE-2023-28260 is a .NET DLL hijacking vulnerability in Siemens ST7 ScadaConnect that enables remote code execution with a CVSS 3.1 score of 7.8 (HIGH). Published on June 11, 2024, this vulnerability affects ST7 ScadaConnect version 6NH7997-5DA10-0AA0. The issue stems from improper handling of DLL loading in the .NET framework component, allowing an attacker with local access to execute arbitrary code by placing a malicious DLL in a location that the application searches before legitimate system libraries. The attack vector is local, requires low privileges, and does not need user interaction, with successful exploitation resulting in high impact to confidentiality, integrity, and availability. Siemens has released a vendor fix in version 1.1 or later to address this vulnerability. CISA published advisory ICSA-24-165-04 on the same date as the CVE publication, coordinating disclosure through the CSAF format. Organizations running affected versions should prioritize updating to the patched release, as DLL hijacking vulnerabilities in industrial control systems can serve as significant attack vectors for lateral movement and persistent access in operational technology environments.
- Vendor
- Siemens
- Product
- ST7 ScadaConnect (6NH7997-5DA10-0AA0)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations operating Siemens ST7 ScadaConnect in industrial control system environments, particularly those in critical infrastructure sectors where OT/ICS security is paramount. System administrators, security operations centers, and OT security teams responsible for maintaining SCADA connectivity infrastructure should prioritize this patch.
Technical summary
CVE-2023-28260 is a .NET DLL hijacking remote code execution vulnerability affecting Siemens ST7 ScadaConnect (6NH7997-5DA10-0AA0). The vulnerability allows an attacker with local access and low privileges to execute arbitrary code by exploiting insecure DLL loading behavior. CVSS 3.1: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C). Published 2024-06-11. Remediation: Update to V1.1 or later.
Defensive priority
HIGH
Recommended defensive actions
- Update Siemens ST7 ScadaConnect to version 1.1 or later to remediate the DLL hijacking vulnerability
- Verify current installed version of ST7 ScadaConnect and confirm it is below V1.1 if patching is required
- Apply principle of least privilege to accounts with local access to systems running ST7 ScadaConnect
- Monitor for unauthorized DLL files in application directories and system paths used by ST7 ScadaConnect
- Implement application whitelisting or DLL load order hardening where supported by the operating system
- Review CISA ICS recommended practices for defense-in-depth strategies applicable to industrial control systems
- Subscribe to Siemens ProductCERT advisories for future security updates affecting ST7 ScadaConnect
Evidence notes
CVE published 2024-06-11; CISA advisory ICSA-24-165-04 published same date; Siemens SSA-341067 references multiple formats (JSON, HTML, PDF, TXT); vendor fix available in V1.1 or later per remediation data; CVSS vector confirms local attack vector with low privileges required and no user interaction needed; not listed in CISA KEV catalog.
Official resources
-
CVE-2023-28260 CVE record
CVE.org
-
CVE-2023-28260 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11