Analysis Summary

CVE-2024-36266 CVSS:9.3

Siemens PowerSys could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper authentication. By sending a specially crafted request, an attacker could exploit this vulnerability to gain administrative privileges for the managed remote devices.

CVE-2024-33500 CVSS:5.9

Siemens Mendix Applications could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper privilege management. By sending a specially crafted request, an attacker could exploit this vulnerability to guess the id of a target role which contains the elevated access rights.

CVE-2023-38533 CVSS:3.3

Siemens TIA Administrator is vulnerable to a denial of service, caused by creating temporary download files in a directory with insecure permissions. By sending a specially crafted request, a local attacker could exploit this vulnerability to disrupt the update process.

Impact

• Privilege Escalation
• Denial of Service

Indicators of Compromise

CVE

• CVE-2024-36266
• CVE-2024-33500
• CVE-2023-38533

Affected Vendors

Affected Products

• Siemens Mendix Applications using Mendix 9
• Siemens Mendix Applications using Mendix 10
• Siemens PowerSys
• Siemens Mendix Applications using Mendix 10 (V10.6)
• Siemens TIA Administrator

Remediation

Refer to Siemens Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-36266

CVE-2024-33500

CVE-2023-38533