July 9, 2019

The NCCIC has updated this advisory with additional information on mitigation measures. Read the advisory at CISA.

February 12, 2019

The NCCIC has published an advisory on cleartext transmission of sensitive information, cross-site scripting, and cross-site request forgery vulnerabilities in Siemens CP1604 and CP1616. All versions of these products prior to 2.8 are affected. Successful exploitation of these vulnerabilities could result in a denial-of-service condition and information exposure. An attacker could inject arbitrary JavaScript in a specially crafted URL request to execute on unsuspecting user’s systems, allowing an attacker to trigger actions via the web interface that a legitimate user is allowed to perform. Siemens recommends users upgrade to version 2.8. The NCCIC also advises of a series of measures for mitigating these vulnerabilities. Read the advisory at NCCIC/ICS-CERT.