CVE-2025-27494
📋 TL;DR
This vulnerability allows authenticated remote administrators on SiPass integrated access control systems to escalate privileges by injecting arbitrary commands through the pubkey endpoint of the REST API. The injected commands execute with root privileges, enabling complete system compromise. Affected systems include SiPass integrated AC5102 (ACC-G2) and SiPass integrated ACC-AP devices running versions below V6.4.9.
💻 Affected Systems
- SiPass integrated AC5102 (ACC-G2)
- SiPass integrated ACC-AP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root access, allowing attacker to disable security systems, steal credentials, install persistent backdoors, or pivot to other network segments.
Likely Case
Privilege escalation from authenticated administrator to root, enabling modification of access control rules, user databases, and system configurations.
If Mitigated
Limited impact if proper network segmentation and least privilege access controls prevent authenticated attackers from reaching vulnerable endpoints.
🎯 Exploit Status
Exploitation requires authenticated administrator credentials but involves simple command injection through improper input sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V6.4.9
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-515903.html
Restart Required: Yes
Instructions:
1. Download V6.4.9 firmware from Siemens support portal. 2. Backup current configuration. 3. Apply firmware update through web interface or console. 4. Reboot device. 5. Verify version shows V6.4.9 or higher.
🔧 Temporary Workarounds
Network Segmentation
allIsolate SiPass devices from general network and restrict access to management interfaces.
Access Control Restrictions
allLimit administrator accounts and implement strong authentication with MFA where possible.
🧯 If You Can't Patch
- Implement strict network access controls to limit which IP addresses can reach the REST API management interface.
- Monitor and audit all administrator account activity, especially API calls to pubkey endpoints.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version through web interface or console. If version is below V6.4.9, device is vulnerable.Check Version:
Check via web interface at System > About or via console using system info commands specific to device model.Verify Fix Applied:
After patching, confirm firmware version shows V6.4.9 or higher and test that command injection attempts are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to /api/pubkey endpoints
- Multiple failed authentication attempts followed by successful admin login
- Commands with shell metacharacters in pubkey parameter values
Network Indicators:
- Unusual outbound connections from SiPass devices
- Traffic to pubkey endpoints with suspicious payloads
SIEM Query:
source="sipass" AND (uri_path="/api/pubkey" OR uri_path CONTAINS "pubkey") AND (http_method="POST" OR http_method="PUT")