Siemens reports critical flaw in SiPass physical access control system
Take action: If you are using Siemens SiPass, make sure it's isolated from the internet and accessible only from trusted networks and only to trusted admins. This is not an urgent patch, but it's wise to update the system since it can compromise physical access.
Learn More
Siemens is reporting a critical security vulnerability in their SiPass integrated physical access control system.
The flaw tracked as CVE-2024-48510 (CVSS score 9.1) and it enables attackers to execute arbitrary code on the application server through specially crafted backup sets during restore operations. The flaw stems from a directory traversal weakness in the DotNetZip component used by the system.
The following Siemens products and versions are affected:
- SiPass integrated V2.90: Versions prior to V2.90.3.19
- SiPass integrated V2.95: Versions prior to V2.95.3.15
Siemens has released patches and provided specific mitigation guidance through their security advisory (SSA-992434). Siemens reccommends users to update to the latest patched versions (V2.90.3.19 or V2.95.3.15 or later), ensure only trusted personnel can initiate restore operations via the Configuration Client and avoiding the use of untrusted backup files for restore operations.
CISA reports no known public exploitation targeting this vulnerability.
