CVE-2024-41792

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices contains a path traversal vulnerability. This could allow an unauthenticated attacker it to access arbitrary files on the device with root privileges.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-187636.html	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:siemens:7kt_pac1260_data_manager_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:7kt_pac1260_data_manager:-:*:*:*:*:*:*:*

History

23 Sep 2025, 16:21

Type	Values Removed	Values Added
CPE		cpe:2.3:o:siemens:7kt_pac1260_data_manager_firmware:::::::: cpe:2.3:h:siemens:7kt_pac1260_data_manager:-:::::::*
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-187636.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-187636.html - Vendor Advisory
First Time		Siemens 7kt Pac1260 Data Manager Firmware Siemens Siemens 7kt Pac1260 Data Manager

08 Apr 2025, 18:13

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en SENTRON 7KT PAC1260 Data Manager (todas las versiones). La interfaz web de los dispositivos afectados contiene una vulnerabilidad de path traversal. Esto podría permitir que un atacante no autenticado acceda a archivos arbitrarios del dispositivo con privilegios de root.

08 Apr 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-08 09:15

Updated : 2025-09-23 16:21

NVD link : CVE-2024-41792

Mitre link : CVE-2024-41792

CVE.ORG link : CVE-2024-41792

JSON object : View

Products Affected

siemens

7kt_pac1260_data_manager
7kt_pac1260_data_manager_firmware

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-41792", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-08T09:15:19.257", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-187636.html", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices contains a path traversal vulnerability. This could allow an unauthenticated attacker it to access arbitrary files on the device with root privileges."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en SENTRON 7KT PAC1260 Data Manager (todas las versiones). La interfaz web de los dispositivos afectados contiene una vulnerabilidad de path traversal. Esto podr\u00eda permitir que un atacante no autenticado acceda a archivos arbitrarios del dispositivo con privilegios de root."}], "lastModified": "2025-09-23T16:21:32.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:siemens:7kt_pac1260_data_manager_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E6C441C-751B-4D8B-967B-8237E181F21A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:siemens:7kt_pac1260_data_manager:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "129B89C3-6730-47B7-9D07-41116E8230A0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "productcert@siemens.com"}