CVE-2024-32011
Published: 11 November 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-32011 is a vulnerability in Siemens Spectrum Power 4, affecting all versions prior to V4.70 SP12 Update 2. The flaw enables the execution of arbitrary commands through the application's user interface, which is accessible over the network. Commands run with the privileges of the administrative application user and is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation allows the execution of arbitrary commands as the administrative application user, granting high-impact access to confidentiality, integrity, and availability of the affected system.
Siemens has issued security advisory SSA-339694, available at https://cert-portal.siemens.com/productcert/html/ssa-339694.html, which addresses this issue. Mitigation requires updating to Spectrum Power 4 V4.70 SP12 Update 2 or later.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables remote exploitation of a public-facing application (T1190) for arbitrary command execution with privilege escalation from low privileges to administrative application user (T1068).