PatchSiren cyber security CVE debrief

CVE-2023-38533 Siemens CVE debrief

## Summary CVE-2023-38533 is a low-severity vulnerability in Siemens TIA Administrator affecting Windows systems. The issue stems from insecure permissions on a directory used for temporary download files during the update process, allowing any authenticated Windows user to potentially disrupt software updates. ## Technical Details The vulnerability exists because the affected component creates temporary download files in a directory with overly permissive access controls. On Windows systems, this configuration allows any authenticated user—not just administrators—to interact with these temporary files. The primary risk is denial of service against the update mechanism rather than code execution or data exfiltration. The CVSS 3.1 score of 3.3 (Low) reflects the local attack vector, low attack complexity, and limited privileges required, with availability impact being the primary concern. The confidentiality and integrity impacts are rated as none. ## Affected Product - **Vendor:** Siemens - **Product:** TIA Administrator - **Platform:** Windows ## Remediation Siemens has released an update to address this vulnerability. Users should upgrade to TIA Administrator V3 SP2 or later. As an interim mitigation, administrators can remove write permissions for non-administrative users on files and folders located under the TIA Administrator installation path. ## Timeline - **Published:** June 11, 2024 (CISA ICS Advisory ICSA-24-165-03 and Siemens security advisory SSA-319319) This vulnerability was disclosed through coordinated disclosure between Siemens and CISA.