Description

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly assign rights to temporary files created during its update process. This could allow an authenticated attacker with the 'Manage firmware updates' role to escalate their privileges on the underlying OS level.

Classification

CVE ID: CVE-2024-39872

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected Products

Vendor: Siemens

Product: SINEMA Remote Connect Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.25% (probability of being exploited)

EPSS Percentile: 48.26% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: manipulation

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39872
https://cert-portal.siemens.com/productcert/html/ssa-381581.html

Timeline