CVE-2022-33137

Summary

A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.

Affected Software

VendorProductVersion RangeStatus
SiemensSIMATIC MV540 HAll versions < V3.3affected
SiemensSIMATIC MV540 SAll versions < V3.3affected
SiemensSIMATIC MV550 HAll versions < V3.3affected
SiemensSIMATIC MV550 SAll versions < V3.3affected
SiemensSIMATIC MV560 UAll versions < V3.3affected
SiemensSIMATIC MV560 XAll versions < V3.3affected

Weaknesses

  • CWE-613: CWE-613: Insufficient Session Expiration

ADP Enrichment

CVE Program Container

Additional References

References