Root vulnerabilities in Siemens Sentron 7KT PAC1260 Data Manager remain open
Because support for a Siemens multi-channel current meter has expired, there are no more security updates.
(Image: janews/Shutterstock.com)
The data manager software for the Sentron 7KT PAC1260 multi-channel current meter from Siemens is vulnerable and can be attacked via several "critical" security vulnerabilities. As the device is no longer supported, it remains vulnerable and users must switch to hardware that is still supported.
The dangers
Attackers can exploit a total of nine vulnerabilities, warns Siemens in an article. Four of these are classified as critical (CVE-2024-41788, CVE-2024-41789, CVE-2024-41790, CVE-2024-41794). In three cases, authenticated attackers can use certain POST requests on the web interface to execute malicious code with root privileges. It is then obvious that they can gain full control over devices.
The latter vulnerability has been given the highest possible CVSS score of 10 out of 10. Due to a backdoor in the form of hardcoded access data, attackers can hijack devices.
They can still use the remaining vulnerabilities to change settings, gain remote access to devices or change passwords.
Videos by heise
Protective measure
As there are no more security updates, users have no choice but to switch to the successor Sentron 7KT PAC1261 Data Manager, which is still supported. In any case, the old device should be taken out of circulation as soon as possible so as not to provide an attack surface for attackers. So far there have been no reports of attacks.
(des)
