PatchSiren cyber security CVE debrief
CVE-2023-36558 Siemens CVE debrief
CVE-2023-36558 is a security feature bypass vulnerability in ASP.NET Core affecting Siemens ST7 ScadaConnect (6NH7997-5DA10-0AA0). Published on June 11, 2024, this vulnerability carries a CVSS 3.1 score of 6.2 (MEDIUM severity) with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C. The local attack vector with low attack complexity and no required privileges indicates that an attacker with local access could bypass security features to achieve high confidentiality impact. Siemens has released a vendor fix: update to version 1.1 or later. CISA published advisory ICSA-24-165-04 on the same date as the CVE publication, coordinating disclosure through the CSAF format. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- ST7 ScadaConnect (6NH7997-5DA10-0AA0)
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations operating Siemens ST7 ScadaConnect industrial control systems, particularly in critical infrastructure sectors. Security teams responsible for OT/ICS environments, SCADA system administrators, and compliance officers tracking CISA ICS advisories should prioritize this update.
Technical summary
A security feature bypass vulnerability exists in ASP.NET Core as implemented in Siemens ST7 ScadaConnect. The vulnerability allows local attackers to bypass security controls without authentication, resulting in high confidentiality impact. The attack requires local access but no user interaction or privileges. Siemens has addressed this in version 1.1.
Defensive priority
medium
Recommended defensive actions
- Update Siemens ST7 ScadaConnect to version 1.1 or later per vendor guidance
- Verify current installed version of ST7 ScadaConnect against vendor security advisory
- Apply defense-in-depth controls for industrial control systems as recommended by CISA
- Monitor for additional vendor security advisories from Siemens CERT portal
- Review network segmentation for SCADA systems to limit local attack surface
Evidence notes
CVE published 2024-06-11; CISA advisory ICSA-24-165-04 published same date. Siemens SSA-341067 provides vendor remediation guidance. CVSS vector confirms local attack vector with high confidentiality impact.
Official resources
-
CVE-2023-36558 CVE record
CVE.org
-
CVE-2023-36558 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
coordinated