Siemens Spectrum Power 4.7 (ICSA-19-099-02) – Products Used in the Water and Wastewater and Energy Sectors

The NCCIC has published an advisory on a command injection vulnerability in Siemens Spectrum Power 4.7. Spectrum Power 4 with Web Office Portal is affected. Successful exploitation of this vulnerability in versions of Spectrum Power 4 using the user-specific project enhancement (PE) Web Office Portal (WOP) are affected by an OS command injection vulnerability. The vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this vulnerability. Successful exploitation compromises confidentiality, integrity, or availability of the targeted system. Siemens recommends users install bugfix bf-47456_PE_WOP_fix to mitigate the vulnerability in the affected version. The NCCIC has also provided a series of measures for mitigating the vulnerabilities. Read the advisory at NCCIC/ICS-CERT.