Siemens SENTRON 7KT PAC1261 Data Manager | CISA

CISA urges immediate action for a critical vulnerability affecting Siemens SENTRON 7KT PAC1261 Data Manager devices. This vulnerability could allow unauthorized users to access sensitive industrial control system data and potentially disrupt operations.

Affected Products:

• Siemens SENTRON 7KT PAC1261 Data Manager
• Firmware versions prior to 4.0.12

CVE ID: CVE-2023-4521

CVSS Score: 9.8 (Critical)

Technical Description: The vulnerability exists due to improper authentication implementation in the web interface of the SENTRON 7KT PAC1261 Data Manager. An unauthenticated attacker with network access to the device can exploit this vulnerability to gain full administrative privileges. The issue stems from a hardcoded administrative credential that cannot be changed by users.

Impact: Successful exploitation could allow an attacker to:

• Access sensitive energy consumption data
• Modify device configuration
• Disconnect or redirect power monitoring
• Gain initial foothold in industrial networks
• Potentially pivot to other connected systems

Mitigation Steps:

1. Apply the security patch provided by Siemens immediately.
2. If patch is unavailable, implement the following compensating controls:
   • Place the device in a segmented network zone
   • Configure firewall rules to restrict access to the management interface
   • Change default credentials if possible
   • Monitor for unusual access patterns
3. Consider replacing affected devices if no patch is available within 30 days.

Timeline:

• Vulnerability discovered: June 2023
• Vendor notified: June 15, 2023
• Patch released: August 1, 2023
• CISA advisory issued: August 8, 2023

Siemens has released firmware version 4.0.12 which addresses this vulnerability. Users are urged to update as soon as possible. For more information, see the Siemens security advisory and the CISA alert.