Multiple vulnerabilities in Siemens SiPass integrated AC5102 and ACC-AP
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-27493 CVE-2025-27494 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SiPass integrated AC5102 Other software / Other software solutions SiPass integrated ACC-AP Other software / Other software solutions |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU105719
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-27493
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input on the telnet command line interface. A local administrator can inject arbitrary commands and gain elevated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSiPass integrated AC5102: before 6.4.9
SiPass integrated ACC-AP: before 6.4.9
CPE2.3- cpe:2.3:a:siemens:sipass_integrated_ac5102:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sipass_integrated_acc-ap:*:*:*:*:*:*:*:*
https://cert-portal.siemens.com/productcert/html/ssa-515903.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU105720
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-27494
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input for the pubkey endpoint of the REST API. A local administrator can inject arbitrary commands and gain elevated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSiPass integrated AC5102: before 6.4.9
SiPass integrated ACC-AP: before 6.4.9
CPE2.3- cpe:2.3:a:siemens:sipass_integrated_ac5102:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sipass_integrated_acc-ap:*:*:*:*:*:*:*:*
https://cert-portal.siemens.com/productcert/html/ssa-515903.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
