SSA-471761

Siemens Security Advisory by Siemens ProductCERT

SSA-471761: Multiple Vulnerabilities in SICAM T Before V3.0

Publication Date:	2025-12-09
Last Update:	2025-12-09
Current Version:	V1.0
CVSS v3.1 Base Score:	9.9
CVSS v4.0 Base Score:	9.3

SUMMARY

SICAM T before V3.0 contain multiple vulnerabilities. These include critical issues such as improper parameter and input validation, various Cross-Site Scripting (XSS) vulnerabilities , and a Cross-Site Request Forgery (CSRF) vulnerability . Additional weaknesses comprise session fixation, authentication and authorization bypasses , missing HTTPS protection, and missing cookie protection flags. These issues could potentially lead to remote code execution, denial of service, unauthorized access to web-interface functionality, session hijacking, impersonation of legitimate users, or allow an attacker to perform arbitrary actions on the device on behalf of a user.

Siemens has released a new version for SICAM T and recommends to update to the latest version.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
SICAM T All versions < V3.0 affected by all CVEs CVE-2022-29872 CVE-2022-29873 CVE-2022-29874 CVE-2022-29876 CVE-2022-29878 CVE-2022-29879 CVE-2022-29880 CVE-2022-29881 CVE-2022-29882 CVE-2022-29883 CVE-2022-40226 CVE-2022-41665 CVE-2022-43439 CVE-2023-30901 CVE-2023-31238	Update to V3.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109743625/ See further recommendations from section Mitigations

MITIGATIONS

Siemens has identified the following specific mitigations that customers can apply to reduce the risk:

CVE-2023-31238

Restrict access to port 443/tcp to trusted IP addresses only.

Do not access links from untrusted sources while logged in at SICAM T

Product-specific remediations or mitigations can be found in the section Known Affected Products.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.

Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity

PRODUCT DESCRIPTION

SICAM T is a digital measurement transducer that allows the measuring of electrical quantities in electrical networks in a single unit. In industries, power plants and substations, transducers are especially used for measurand (e.g. current, voltage, power, phase angle, energy or frequency) assignment into further processing through analog outputs or communication interface for precise control, notification or visualization tasks.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2022-29872

Affected devices do not properly validate parameters of POST requests. This could allow an authenticated attacker to set the device to a denial of service state or to control the program counter and, thus, execute arbitrary code on the device.

CVSS v3.1 Base Score	8.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v4.0 Base Score	8.7
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-141: Improper Neutralization of Parameter/Argument Delimiters

Vulnerability CVE-2022-29873

Affected devices do not properly validate parameters of certain GET and POST requests. This could allow an unauthenticated attacker to set the device to a denial of service state or to control the program counter and, thus, execute arbitrary code on the device.

CVSS v3.1 Base Score	9.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4.0 Base Score	9.3
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-141: Improper Neutralization of Parameter/Argument Delimiters

Vulnerability CVE-2022-29874

Affected devices do not encrypt web traffic with clients but communicate in cleartext via HTTP. This could allow an unauthenticated attacker to capture the traffic and interfere with the functionality of the device.

CVSS v3.1 Base Score	8.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE	CWE-319: Cleartext Transmission of Sensitive Information

Vulnerability CVE-2022-29876

Affected devices do not properly handle the input of a GET request parameter. The provided argument is directly reflected in the web server response. This could allow an unauthenticated attacker to perform reflected XSS attacks.

CVSS v3.1 Base Score	7.1
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability CVE-2022-29878

Affected devices use a limited range for challenges that are sent during the unencrypted challenge-response communication. An unauthenticated attacker could capture a valid challenge-response pair generated by a legitimate user, and request the webpage repeatedly to wait for the same challenge to reappear for which the correct response is known. This could allow the attacker to access the management interface of the device.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE	CWE-294: Authentication Bypass by Capture-replay

Vulnerability CVE-2022-29879

The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow authenticated users to access critical device information.

CVSS v3.1 Base Score	4.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS v4.0 Base Score	5.3
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-306: Missing Authentication for Critical Function

Vulnerability CVE-2022-29880

Affected devices do not properly validate input in the configuration interface. This could allow an authenticated attacker to place persistent XSS attacks to perform arbitrary actions in the name of a logged user which accesses the affected views.

CVSS v3.1 Base Score	6.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability CVE-2022-29881

The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow unauthenticated users to extract internal configuration details.

CVSS v3.1 Base Score	5.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-306: Missing Authentication for Critical Function

Vulnerability CVE-2022-29882

Affected devices do not handle uploaded files correctly. An unauthenticated attacker could take advantage of this situation to store an XSS attack, which could - when a legitimate user accesses the error logs - perform arbitrary actions in the name of the user.

CVSS v3.1 Base Score	7.1
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability CVE-2022-29883

Affected devices do not restrict unauthenticated access to certain pages of the web interface. This could allow an attacker to delete log files without authentication.

CVSS v3.1 Base Score	5.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE	CWE-287: Improper Authentication

Vulnerability CVE-2022-40226

Affected devices accept user defined session cookies and do not renew the session cookie after login/logout. This could allow an attacker to take over another user's session after login.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-384: Session Fixation

Vulnerability CVE-2022-41665

Affected devices do not properly validate the parameter of a specific GET request. This could allow an unauthenticated attacker to set the device to a denial of service state or to control the program counter and, thus, execute arbitrary code on the device.

CVSS v3.1 Base Score	9.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-141: Improper Neutralization of Parameter/Argument Delimiters

Vulnerability CVE-2022-43439

Affected devices do not properly validate the Language-parameter in requests to the web interface on port 443/tcp. This could allow an authenticated remote attacker to crash the device (followed by an automatic reboot) or to execute arbitrary code on the device.

CVSS v3.1 Base Score	9.9
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2023-30901

The web interface of the affected devices are vulnerable to Cross-Site Request Forgery attacks. By tricking an authenticated victim user to click a malicious link, an attacker could perform arbitrary actions on the device on behalf of the victim user.

CVSS v3.1 Base Score	4.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE	CWE-352: Cross-Site Request Forgery (CSRF)

Vulnerability CVE-2023-31238

Affected devices are missing cookie protection flags when using the default settings. An attacker who gains access to a session token can use it to impersonate a legitimate application user.

CVSS v3.1 Base Score	5.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE	CWE-732: Incorrect Permission Assignment for Critical Resource

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2025-12-09):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.