Security Vulnerabilities Persist in Siemens Sentron 7KT PAC1260 Data Manager

The Siemens Sentron 7KT PAC1260 Data Manager, a multichannel power measurement device, is currently facing significant security vulnerabilities. With the cessation of official support for this device, it will no longer receive critical security updates, leaving it exposed to potential attacks.

According to warnings issued by Siemens, users should be aware that the software associated with the Sentron 7KT PAC1260 has been identified as having several significant security flaws. In total, there are nine vulnerabilities, four of which are classified as critical. These critical vulnerabilities include CVE-2024-41788, CVE-2024-41789, CVE-2024-41790, and CVE-2024-41794.

In particular, authenticated attackers could exploit these critical vulnerabilities via the web interface by sending specially crafted POST requests, which may allow them to execute malicious code with root privileges. The most severe of these vulnerabilities has been assigned a maximum CVSS score of 10 out of 10, indicating its high risk level. This situation is exacerbated by a backdoor created through hardcoded credentials, enabling attackers to potentially take control of the devices.

Aside from the critical vulnerabilities, the remaining weaknesses could permit attackers to alter settings, gain unauthorized remote access to the devices, or change passwords. Given the lack of upcoming security patches, users are strongly advised to transition to a newer, supported model, specifically the Sentron 7KT PAC1261 Data Manager.

To mitigate risks, it is crucial for users to decommission the older model promptly, thereby reducing the risk of exploitation. At present, there have been no reports of actual attacks targeting these vulnerabilities, but the potential for such incidents remains a pressing concern.