CVE-2022-26476 - OpenCVE

A vulnerability has been identified in Spectrum Power 4 (All versions using Shared HIS), Spectrum Power 7 (All versions using Shared HIS), Spectrum Power MGMS (All versions using Shared HIS). An unauthenticated attacker could log into the component Shared HIS used in Spectrum Power systems by using an account with default credentials. A successful exploitation could allow the attacker to access the component Shared HIS with administrative privileges.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Spectrum Power 4 Spectrum Power 7 Spectrum Power Microgrid Management System

Configuration 1 [-]

OR	cpe:2.3:a:siemens:spectrum_power_4:-:::::::*
	cpe:2.3:a:siemens:spectrum_power_7:-:::::::*
	cpe:2.3:a:siemens:spectrum_power_microgrid_management_system:-:::::::*

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-388239.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2022-06-14T09:21:38

Updated: 2024-08-03T05:03:32.863Z

Reserved: 2022-03-04T00:00:00

Link: CVE-2022-26476

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-06-14T10:15:19.883

Modified: 2022-06-22T20:00:42.290

Link: CVE-2022-26476

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Spectrum Power 4", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions using Shared HIS"}]}, {"product": "Spectrum Power 7", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions using Shared HIS"}]}, {"product": "Spectrum Power MGMS", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions using Shared HIS"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Spectrum Power 4 (All versions using Shared HIS), Spectrum Power 7 (All versions using Shared HIS), Spectrum Power MGMS (All versions using Shared HIS). An unauthenticated attacker could log into the component Shared HIS used in Spectrum Power systems by using an account with default credentials. A successful exploitation could allow the attacker to access the component Shared HIS with administrative privileges."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-14T09:21:38", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-388239.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2022-26476", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spectrum Power 4", "version": {"version_data": [{"version_value": "All versions using Shared HIS"}]}}, {"product_name": "Spectrum Power 7", "version": {"version_data": [{"version_value": "All versions using Shared HIS"}]}}, {"product_name": "Spectrum Power MGMS", "version": {"version_data": [{"version_value": "All versions using Shared HIS"}]}}]}, "vendor_name": "Siemens"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in Spectrum Power 4 (All versions using Shared HIS), Spectrum Power 7 (All versions using Shared HIS), Spectrum Power MGMS (All versions using Shared HIS). An unauthenticated attacker could log into the component Shared HIS used in Spectrum Power systems by using an account with default credentials. A successful exploitation could allow the attacker to access the component Shared HIS with administrative privileges."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798: Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-388239.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-388239.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:03:32.863Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-388239.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2022-26476", "datePublished": "2022-06-14T09:21:38", "dateReserved": "2022-03-04T00:00:00", "dateUpdated": "2024-08-03T05:03:32.863Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*", "matchCriteriaId": "3D40B786-1DB0-444A-86F5-C4C8785E1DE7", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_7:-:*:*:*:*:*:*:*", "matchCriteriaId": "24683BF6-BEE0-48E6-92C6-89B20569FE92", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:spectrum_power_microgrid_management_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "870246D2-2224-41FD-A490-D0396B7BEA45", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Spectrum Power 4 (All versions using Shared HIS), Spectrum Power 7 (All versions using Shared HIS), Spectrum Power MGMS (All versions using Shared HIS). An unauthenticated attacker could log into the component Shared HIS used in Spectrum Power systems by using an account with default credentials. A successful exploitation could allow the attacker to access the component Shared HIS with administrative privileges."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Spectrum Power 4 (Todas las versiones que usan HIS compartido), Spectrum Power 7 (Todas las versiones que usan HIS compartido), Spectrum Power MGMS (Todas las versiones que usan HIS compartido). Un atacante no autenticado podr\u00eda entrar en el componente Shared HIS usado en los sistemas Spectrum Power usando una cuenta con credenciales por defecto. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante acceder al componente Shared HIS con privilegios administrativos"}], "id": "CVE-2022-26476", "lastModified": "2022-06-22T20:00:42.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-14T10:15:19.883", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-388239.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "productcert@siemens.com", "type": "Secondary"}]}