In a recent security advisory, Siemens ProductCERT has revealed multiple critical vulnerabilities affecting the SENTRON 7KT PAC1260 Data Manager. The advisory, published on April 8, 2025, warns that these vulnerabilities could allow attackers to gain significant control over affected devices.
The security advisory outlines a series of vulnerabilities, each with the potential to severely compromise the security of the SENTRON 7KT PAC1260 Data Manager. These vulnerabilities include:
OS Command Injection: Several vulnerabilities (CVE-2024-41788, CVE-2024-41789, CVE-2024-41790) stem from the web interfaceβs failure to properly sanitize input parameters. This flaw could enable an authenticated remote attacker to execute arbitrary code with root privileges, granting them deep access to the system.
Missing Authentication: The advisory highlights issues with missing authentication for critical functions. CVE-2024-41791 reveals that the web interface does not authenticate report creation requests, potentially allowing an unauthenticated remote attacker to βread or clear the log files on the device, reset the device or set the date and time.β CVE-2024-41793 exposes an endpoint that allows enabling the SSH service without authentication, which could allow unauthorized remote access.
Path Traversal: A path traversal vulnerability (CVE-2024-41792) exists in the web interface, potentially enabling an unauthenticated attacker to βaccess arbitrary files on the device with root privileges.β
Hardcoded Credentials: Perhaps one of the most severe findings is CVE-2024-41794, which reveals that affected devices contain βhardcoded credentials for remote access to the device operating system with root privileges.β If an attacker obtains these credentials and the SSH service is enabled (possibly through the exploitation of CVE-2024-41793), they could gain full control of the device.
Cross-Site Request Forgery (CSRF): The web interface is also susceptible to CSRF attacks (CVE-2024-41795). This vulnerability could allow an attacker to βchange arbitrary device settings by tricking a legitimate device administrator to click on a malicious link.β
Unverified Password Change: In conjunction with the CSRF vulnerability, CVE-2024-41796 allows changing the login password without knowing the current password, compounding the risk.The severity of these vulnerabilities is underscored by the high CVSS scores. Multiple vulnerabilities have a CVSS v3.1 Base Score of 9.1, and CVE-2024-41794 has a maximum CVSS v3.1 Base Score of 10.0.
The advisory states that βSoftware fixes can no longer be provided for The SENTRON 7KT PAC1260 Data Manager.β Siemens recommends that users replace the vulnerable device with the new SENTRON 7KT PAC1261 Data Manager and update it to the latest available firmware.
Siemens provides the following workarounds and mitigations to reduce risk:
For CVE-2024-41795 and CVE-2024-41796, the advisory recommends that users βDo not access links from untrusted sources while logged in at affected devices.βSiemens also emphasizes the importance of general security measures, strongly recommending the protection of network access to devices with appropriate mechanisms and configuring the environment according to Siemensβ operational guidelines for industrial security.