Siemens SENTRON 7KT PAC1261 Data Manager
Summary
A request smuggling vulnerability has been identified in Siemens SENTRON 7KT PAC1261 Data Manager versions prior to V2.1.0. This vulnerability, stemming from the Go Project's net/http package, could allow an attacker to obtain authorization tokens and gain administrative control over the device. Siemens has released an update to address this issue.
IFF Assessment
The discovery of a critical vulnerability that allows for administrative control over industrial control devices is bad news for defenders.
Severity
The CVSS v3 score of 9.1 indicates a critical severity, reflecting the potential for an attacker to gain administrative control and the ease of exploitation through request smuggling. The attack vector is network-based, and the impact is high on confidentiality, integrity, and availability.
Defender Context
This vulnerability highlights the ongoing risk of HTTP request smuggling in network-accessible devices, particularly those in critical infrastructure. Defenders should prioritize patching affected Siemens SENTRON devices and review network segmentation to limit exposure. Staying aware of vulnerabilities in the underlying Go project's HTTP package is also crucial for proactive defense.