Skip to main content

SiPass CVE-2025-27494

CRITICAL
Improper Input Validation (CWE-20)
2025-03-11 productcert@siemens.com
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 10:15 nvd
CRITICAL 9.1

DescriptionCVE.org

A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.9), SiPass integrated ACC-AP (All versions < V6.4.9). Affected devices improperly sanitize input for the pubkey endpoint of the REST API. This could allow an authenticated remote administrator to escalate privileges by injecting arbitrary commands that are executed with root privileges.

AnalysisAI

Siemens SiPass integrated access control systems (AC5102 ACC-G2 and ACC-AP, before V6.4.9) allow authenticated administrators to escalate to root via command injection in the REST API's pubkey endpoint. While high privileges are required, the scope change enables full system compromise.

Technical ContextAI

The pubkey endpoint of the REST API fails to sanitize administrator-supplied input before passing it to a system command (CWE-20). An authenticated administrator can inject OS commands that execute with root privileges, escalating beyond their intended access level.

Affected ProductsAI

SiPass integrated AC5102 (ACC-G2) < V6.4.9, SiPass integrated ACC-AP < V6.4.9

RemediationAI

Update to SiPass integrated V6.4.9 or later. Restrict admin API access to trusted networks. Audit admin account usage and implement MFA for admin access.

Share

CVE-2025-27494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy