A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validate the device tokens. This could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system.
Vulnerable system components do not perform proper validation of tokens assigned to devices (CWE-639 — improper access control based on identifiers). An attacker can exploit this flaw to use another device's token and authenticate to the system as that device. The attack requires no authentication, user interaction, or special network conditions — only network access to the system is needed.
An attacker can impersonate any device registered in the Industrial Edge Management system, which may lead to unauthorized access to data, manipulation of industrial device configuration, and compromise of the integrity of the edge environment.
Update Siemens Industrial Edge Management Pro to version V1.9.5 or later and Industrial Edge Management Virtual to version V2.3.1-1 or later. Detailed information is available in the Siemens security bulletin SSA-359713 at: https://cert-portal.siemens.com/productcert/html/ssa-359713.html
Siemens Industrial Edge Management Pro (all versions < V1.9.5) and Siemens Industrial Edge Management Virtual (all versions < V2.3.1-1).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X