csaf_siemens - ssa-563922

ssa-563922

Vulnerability from csaf_siemens

Published

2025-09-09 00:00

Modified

2025-09-09 00:00

Summary

SSA-563922: Local Privilege Escalation Vulnerability in SIMOTION Tools

Notes

Summary

Several tools for the SIMOTION system are affected by a local privilege escalation vulnerability. This could allow an attacker to execute arbitrary code with SYSTEM privileges when a legitimate user installs an application that uses the affected setup component. This vulnerability poses a risk only during setup and installation phase of the affected tools. Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.

General Recommendations

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Additional Resources

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Several tools for the SIMOTION system are affected by a local privilege escalation vulnerability. This could allow an attacker to execute arbitrary code with SYSTEM privileges when a legitimate user installs an application that uses the affected setup component. This vulnerability poses a risk only during setup and installation phase of the affected tools.\n\nSiemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
        "title": "General Recommendations"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "productcert@siemens.com",
      "name": "Siemens ProductCERT",
      "namespace": "https://www.siemens.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "SSA-563922: Local Privilege Escalation Vulnerability in SIMOTION Tools - HTML Version",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-563922.html"
      },
      {
        "category": "self",
        "summary": "SSA-563922: Local Privilege Escalation Vulnerability in SIMOTION Tools - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-563922.json"
      }
    ],
    "title": "SSA-563922: Local Privilege Escalation Vulnerability in SIMOTION Tools",
    "tracking": {
      "current_release_date": "2025-09-09T00:00:00Z",
      "generator": {
        "engine": {
          "name": "Siemens ProductCERT CSAF Generator",
          "version": "1"
        }
      },
      "id": "SSA-563922",
      "initial_release_date": "2025-09-09T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-09-09T00:00:00Z",
          "legacy_version": "1.0",
          "number": "1",
          "summary": "Publication Date"
        }
      ],
      "status": "interim",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SIMATIC Technology Package TPCamGen (6ES7823-0FE30-1AA0)",
                  "product_id": "1",
                  "product_identification_helper": {
                    "model_numbers": [
                      "6ES7823-0FE30-1AA0"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SIMATIC Technology Package TPCamGen (6ES7823-0FE30-1AA0)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SIMOTION OA MIIF (6AU1820-3DA20-0AB0)",
                  "product_id": "2",
                  "product_identification_helper": {
                    "model_numbers": [
                      "6AU1820-3DA20-0AB0"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SIMOTION OA MIIF (6AU1820-3DA20-0AB0)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SIMOTION OACAMGEN (6AU1820-3EA20-0AB0)",
                  "product_id": "3",
                  "product_identification_helper": {
                    "model_numbers": [
                      "6AU1820-3EA20-0AB0"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SIMOTION OACAMGEN (6AU1820-3EA20-0AB0)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SIMOTION OALECO (6AU1820-3HA20-0AB0)",
                  "product_id": "4",
                  "product_identification_helper": {
                    "model_numbers": [
                      "6AU1820-3HA20-0AB0"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SIMOTION OALECO (6AU1820-3HA20-0AB0)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "SIMOTION OAVIBX (6AU1820-3CA20-0AB0)",
                  "product_id": "5",
                  "product_identification_helper": {
                    "model_numbers": [
                      "6AU1820-3CA20-0AB0"
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SIMOTION OAVIBX (6AU1820-3CA20-0AB0)"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-43715",
      "cwe": {
        "id": "CWE-754",
        "name": "Improper Check for Unusual or Exceptional Conditions"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\\temp and unprivileged users can place a crafted executable file by winning a race condition. This occurs because EW_CREATEDIR does not always set the CreateRestrictedDirectory error flag.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2",
          "3",
          "4",
          "5"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Ensure that no other users are logged in and that no unknown programs are running before starting the installation of the affected products",
          "product_ids": [
            "1",
            "2",
            "3",
            "4",
            "5"
          ]
        },
        {
          "category": "no_fix_planned",
          "details": "Currently no fix is planned",
          "product_ids": [
            "2",
            "3",
            "4",
            "5"
          ]
        },
        {
          "category": "none_available",
          "details": "Currently no fix is available",
          "product_ids": [
            "1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3",
            "4",
            "5"
          ]
        }
      ],
      "title": "CVE-2025-43715"
    }
  ]
}

CVE-2025-43715 (GCVE-0-2025-43715)

Vulnerability from cvelistv5

Published

2025-04-17 00:00

Modified

2025-04-17 19:16

Severity ?

8.1 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Summary

Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\temp and unprivileged users can place a crafted executable file by winning a race condition. This occurs because EW_CREATEDIR does not always set the CreateRestrictedDirectory error flag.

References

▼	URL	Tags
	https://sourceforge.net/p/nsis/bugs/1315/
	https://nsis.sourceforge.io/Docs/AppendixF.html#v3.11-rl

Impacted products

	Vendor	Product	Version
	Nullsoft	Nullsoft Scriptable Install System	Version: 0 < 3.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43715",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T19:16:35.360975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T19:16:59.738Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Nullsoft Scriptable Install System",
          "vendor": "Nullsoft",
          "versions": [
            {
              "lessThan": "3.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:nullsoft:nullsoft_scriptable_install_system:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\\temp and unprivileged users can place a crafted executable file by winning a race condition. This occurs because EW_CREATEDIR does not always set the CreateRestrictedDirectory error flag."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-17T02:15:09.285Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://sourceforge.net/p/nsis/bugs/1315/"
        },
        {
          "url": "https://nsis.sourceforge.io/Docs/AppendixF.html#v3.11-rl"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-43715",
    "datePublished": "2025-04-17T00:00:00.000Z",
    "dateReserved": "2025-04-17T00:00:00.000Z",
    "dateUpdated": "2025-04-17T19:16:59.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ssa-563922

Vulnerability from csaf_siemens

CVE-2025-43715 (GCVE-0-2025-43715)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature