A CRC16-based algorithm used to generate Technical Service credentials on Siemens Blueplanet devices allows an attacker who can obtain the device's serial number to compute the credentials and gain unauthorized access. The weakness is a key compromise during storage (CWE‑321). This flaw can lead to privileged use of the device services and potentially allow further exploitation of connected systems.

The vulnerability affects a wide range of Siemens Blueplanet equipment, including the 100 NX3 M8, 100 TL3 GEN2 (all versions < V6.1.4.9), 105 TL3, 105 TL3 GEN2 (versions < V6.1.4.9), 110 TL3, 125 NX3 M10 (all versions), 125 TL3, 125 TL3 GEN2 (versions < V6.1.4.9), 137 TL3, 150 TL3, 150 TL3 GEN2 (versions < V6.1.4.9), 155 TL3, 155 TL3 GEN2 (versions < V6.1.4.9), 165 TL3, 165 TL3 GEN2 (versions < V6.1.4.9), 25.0 NX3‑33.0 NX3 (all versions), 3.0 NX3‑20.0 NX3 (all versions), 3.0 TL3‑60.0 TL3 (all versions), 3.0‑5.0 NX1 (all versions), 360 NX3 M6 (all versions), 50.0 NX3‑60.0 NX3 (all versions), 87.0 TL3 (all versions), 87.0 TL3 GEN2 (versions < V6.1.4.9), 92.0 TL3 (all versions), 92.0 TL3 GEN2 (versions < V6.1.4.9), gridsave 110 TL3-S (versions < V3.91), gridsave 137 TL3-S (versions < V3.91), gridsave 92.0 TL3-S (versions < V3.91), hybrid 10.0 TL3 (all versions), and hybrid 6.0 NH3‑12.0 NH3 (all versions).

With a CVSS score of 7.2, this flaw carries moderate to high impact; the EPSS score is < 1% and it is not listed in CISA KEV. The description indicates the vulnerability is a key compromise (CWE‑321). An attacker who can obtain the device’s serial number can compute the Technical Service credentials and authenticate as a privileged user. The text does not specify how the serial number could be obtained, so it is inferred that the attack vector could be local or remote depending on device exposure. If the credentials are used, the attacker gains full technical‑service privileges, which can be used to reconfigure, interfere with, or eavesdrop on the system.