Full Report
SiPass integrated contains multiple vulnerabilities that could allow an unauthenticated remote attacker to exploit user accounts, manipulate data, impersonate users, or achieve arbitrary code execution on the SiPass integrated server. Siemens has released a new version for SiPass integrated and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Flaws in Siemens SiPass Integrated
## CVE Details
- **CVE ID:** CVE-2023-35002, CVE-2025-40772, CVE-2025-40773, CVE-2025-40774
- **CVSS Score:** 8.8 (High) - CVSS v3.1 / 8.6 (High) - CVSS v4.0
- **CWE:**
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-79: Improper Neutralization of Input during Web Page Generation (XSS)
- CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-257: Storing Passwords in a Recoverable Format
## Affected Systems
- **Products:** SiPass integrated (Access Control System)
- **Versions:**
- All versions < V3.0 (Affected by all CVEs)
- SiPass integrated V2.95 (Specifically versions < V2.95.3.23 affected by CVE-2023-35002)
- **Configurations:** Server applications utilizing Accusoft ImageGear 20.1 functionality or web-based management interfaces.
## Vulnerability Description
SiPass integrated suffers from four distinct security flaws:
1. **Critical Heap Overflow (CVE-2023-35002):** A flaw in the `pictwread` functionality of the third-party Accusoft ImageGear library. Processing a malformed image file can trigger a heap-based buffer overflow, leading to remote code execution (RCE).
2. **Stored XSS (CVE-2025-40772):** Malicious code can be injected into the server application and executed by other users, leading to session hijacking and privilege escalation.
3. **Broken Access Control (CVE-2025-40773):** Insufficient server-side authorization checks on API requests allow attackers to manipulate data belonging to other users.
4. **Reversible Password Storage (CVE-2025-40774):** User passwords are encrypted but the decryption keys are accessible to administrative users, allowing for the recovery of plaintext credentials.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; no public PoC provided in the advisory.
- **Complexity:** Low (for most), though some require administrative privileges (CVE-2025-40774) or user interaction (CVE-2025-40772).
- **Attack Vector:**
- **Adjacent (AV:A):** CVE-2023-35002, CVE-2025-40772, CVE-2025-40773 (Requires access to the local/adjacent network).
- **Local (AV:L):** CVE-2025-40774.
## Impact
- **Confidentiality:** High (Session theft, password recovery, and data access).
- **Integrity:** High (Unauthorized data manipulation and code execution).
- **Availability:** High (Potential for system instability or crashes via heap overflow).
## Remediation
### Patches
- **SiPass integrated:** Update to **V3.0** or later.
- **SiPass integrated V2.95:** Update to **V2.95.3.23** (specifically addresses CVE-2023-35002).
### Workarounds
- **Access Control:** Strictly restrict network access to the SiPass server to authorized and trusted personnel only.
- **General Security:** Deploy the server within a protected IT environment and follow Siemens "General Security Recommendations."
## Detection
- **Indicators of Compromise:** Monitor for unusual API requests, unauthorized data changes, or the presence of malformed image files in the system's processing directories.
- **Detection methods and tools:** Network intrusion detection systems (NIDS) can be configured to look for common XSS patterns or exploitation attempts against the Accusoft library. Audit administrative logs for unauthorized password decryption or credential access.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-599451[.]html
- **Siemens Support (V3.0):** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109995331/
- **Siemens Support (V2.95):** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109827049/