A CRC16-based algorithm used to generate Technical Service credentials on Siemens Blueplanet devices allows an attacker who can obtain the device's serial number to compute the credentials and gain unauthorized access. The weakness is a key compromise during storage (CWE‑321). This flaw can lead to privileged use of the device services and potentially allow further exploitation of connected systems.

The vulnerability affects a wide range of Siemens Blueplanet equipment, including the 100 NX3 M8, 100 TL3 GEN2 (versions < V6.1.4.9), 105 TL3, 105 TL3 GEN2 (versions < V6.1.4.9), 110 TL3, 125 NX3 M11, 125 TL3, 125 TL3 GEN2 (versions < V6.1.4.9), 137 TL3, 150 TL3, 150 TL3 GEN2 (versions < V6.1.4.9), 155 TL3, 155 TL3 GEN2 (versions < V6.1.4.9), 165 TL3, 165 TL3 GEN2 (versions < V6.1.4.9), 25.0 NX3‑33.0 NX3, 3.0 NX3‑20.0 NX3, 3.0 TL3‑60.0 TL3, 3.0‑5.0 NX1, 360 NX3 M6, 50.0 NX3‑60.0 NX3, 87.0 TL3, 87.0 TL3 GEN2 (versions < V6.1.4.9), 92.0 TL3, 92.0 TL3 GEN2 (versions < V6.1.4.9), gridsafe 110 TL3‑S (versions < V3.91), gridsafe 137 TL3‑S (versions < V3.91), gridsafe 92.0 TL3‑S (versions < V3.91), hybrid 10.0 TL3, and hybrid 6.0 NH3‑12.0 NH3. All versions of the listed models are affected, except where a version limit is specified.

With a CVSS score of 7.2, this flaw carries moderate to high impact; the EPSS score is not available and it is not yet listed in CISA KEV. The description indicates the vulnerability is a key compromise (CWE‑321). An attacker who can obtain the device’s serial number can compute the Technical Service credentials and authenticate as a privileged user. The text does not specify how the serial number could be obtained, so it is inferred from the description that the attack vector could be local or remote depending on device exposure. If the credentials are used, the attacker gains full technical‑service privileges, which can be used to reconfigure, interfere with, or eavesdrop on the system.