CVE-2025-27493
Published: 11 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-27493 affects SiPass integrated AC5102 (ACC-G2) and SiPass integrated ACC-AP in all versions prior to V6.4.9. The vulnerability arises from improper sanitization of user input for specific commands on the Telnet command line interface, as classified under CWE-20 (Improper Input Validation). It carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact with changed scope.
An authenticated local administrator with access to the Telnet CLI can exploit this flaw by injecting arbitrary commands. These commands execute with root privileges, allowing privilege escalation and full compromise of the device, resulting in high impacts to confidentiality, integrity, and availability.
Siemens Security Advisory SSA-515903, available at https://cert-portal.siemens.com/productcert/html/ssa-515903.html, addresses this issue. Affected systems should be updated to version V6.4.9 or later to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables arbitrary command injection via Telnet CLI for authenticated local admin, directly facilitating Unix shell command execution as root and privilege escalation to full device compromise.