CVE-2020-25238
First published: Tue Feb 09 2021(Updated: )
A vulnerability has been identified in PCS neo (Administration Console) (All versions < V3.1), TIA Portal (V15, V15.1 and V16). Manipulating certain files in specific folders could allow a local attacker to execute code with SYSTEM privileges. The security vulnerability could be exploited by an attacker with a valid account and limited access rights on the system.
Credit: productcert@siemens.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Siemens Simatic Process Control System Neo | <3.1 | |
| Siemens Totally Integrated Automation Portal | =15 | |
| Siemens Totally Integrated Automation Portal | =15.1 | |
| Siemens Totally Integrated Automation Portal | =16 | |
| Siemens PCS neo (Administration Console) | =3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this security issue?
The vulnerability ID is CVE-2020-25238.
What software versions are affected by this vulnerability?
The affected software versions are PCS neo (Administration Console) versions < V3.1 and TIA Portal versions 15, 15.1, and 16.
What is the severity of CVE-2020-25238?
The severity of CVE-2020-25238 is high with a CVSS score of 7.8.
How can this vulnerability be exploited?
This vulnerability can be exploited by manipulating certain files in specific folders, allowing a local attacker to execute code with SYSTEM privileges.
Are there any references available for more information about this vulnerability?
Yes, you can find more information about this vulnerability at the following references: [Siemens ProductCERT](https://cert-portal.siemens.com/productcert/pdf/ssa-428051.pdf), [CISA ICS Advisory](https://us-cert.cisa.gov/ics/advisories/icsa-21-040-05), [CERT VU](https://www.kb.cert.org/vuls/id/466044)
- collector/nvd-index
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/severity
- agent/references
- agent/softwarecombine
- agent/event
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/siemens
- canonical/siemens simatic process control system neo
- canonical/siemens totally integrated automation portal
- version/siemens totally integrated automation portal/15
- version/siemens totally integrated automation portal/15.1
- version/siemens totally integrated automation portal/16
- canonical/siemens pcs neo (administration console)
- version/siemens pcs neo (administration console)/3.1