Full Report
SiPass integrated ACC (Advanced Central Controller) devices contain multiple vulnerabilities that could allow attackers to execute commands on the devices with root privileges and access sensitive data. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in SiPass integrated ACC Devices Allowing Root Command Execution
## CVE Details
- CVE ID: CVE-2024-52285, CVE-2025-27493, CVE-2025-27494
- CVSS Score: 9.4 (CVSS v4.0) / 9.1 (CVSS v3.1 for CVE-2025-27494)
- CWE: CWE-306 (Missing Authentication), CWE-20 (Improper Input Validation)
## Affected Systems
- Products: SiPass integrated AC5102 (ACC-G2), SiPass integrated ACC-AP
- Versions:
- Affected by CVE-2024-52285: All versions < V6.4.8
- Affected by CVE-2025-27493, CVE-2025-27494: All versions < V6.4.9
- Configurations: Not specified, but impacts firmware level.
## Vulnerability Description
This advisory addresses multiple vulnerabilities:
1. **CVE-2024-52285 (Missing Authentication, CVSS v3.1: 5.3/v4.0: 6.9):** Affected devices expose several MQTT URLs without authentication, allowing unauthenticated remote attackers to access sensitive data.
2. **CVE-2025-27493 (Improper Input Validation, CVSS v3.1: 8.2/v4.0: 9.3):** An authenticated local administrator can escalate privileges by injecting arbitrary commands into the telnet command-line interface, which are then executed with root privileges.
3. **CVE-2025-27494 (Improper Input Validation, CVSS v3.1: 9.1/v4.0: 9.4):** An authenticated remote administrator can escalate privileges by injecting arbitrary commands via the `pubkey` endpoint of the REST API, which are then executed with root privileges.
## Exploitation
- Status: Details on exploitation in the wild are not provided, but PoC is implied via successful vulnerability chaining leading to root access.
- Complexity: Varies by CVE, up to Medium/High for root privilege escalation.
- Attack Vector: Network (CVE-2024-52285, CVE-2025-27494), Local (CVE-2025-27493).
## Impact
- Confidentiality: High (Access to sensitive data via unauthenticated MQTT, root access allows full data exfiltration).
- Integrity: High (Root privileges allow arbitrary command execution and system modification).
- Availability: High (Root access may allow denial of service conditions).
## Remediation
### Patches
- For **CVE-2024-52285**: Update to **V6.4.8 or later**. (V6.4.8 was released as part of SiPass integrated V2.95 IR12).
- For **CVE-2025-27493 & CVE-2025-27494**: Update to **V6.4.9 or later**. (V6.4.9 was released as part of SiPass integrated V2.95 IR14).
### Workarounds
- For **CVE-2025-27493 & CVE-2025-27494**: Set an individual strong password for the built-in administrator account ("SIEMENS").
- General mitigation: Protect network access to affected products using appropriate mechanisms and follow recommended security practices to operate devices in a protected IT environment.
## Detection
- Detection methods are not explicitly detailed beyond implementing the patches.
- Indicators of Compromise (IoCs): Monitoring for unauthenticated access attempts to MQTT endpoints or suspicious command execution via the Telnet CLI or REST API `pubkey` endpoint.
## References
- Vendor Advisories: SSA-515903
- Relevant Links:
- hXXps://cert-portal.siemens.com/productcert/html/ssa-515903.html