CVE-2019-18283
Description
A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). The AdminService is available without authentication on the Application Server. An attacker can gain remote code execution by sending specifically crafted objects to one of its functions. Please note that an attacker needs to have access to the Application Highway in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The AdminService in Siemens SPPA-T3000 Application Server is unauthenticated, enabling remote code execution via crafted objects when access to the Application Highway is available.
Vulnerability
The AdminService in Siemens SPPA-T3000 Application Server (all versions before Service Pack R8.2 SP2) is accessible without authentication [1]. An attacker can send specially crafted objects to one of its functions, leading to remote code execution. This vulnerability requires access to the Application Highway network.
Exploitation
An attacker with network access to the Application Highway can connect to the AdminService and send crafted objects without any authentication. No user interaction is needed. The exact steps involve crafting malicious objects and delivering them to the vulnerable endpoint.
Impact
Successful exploitation allows remote code execution on the Application Server, potentially giving the attacker full control over the system, compromising confidentiality, integrity, and availability.
Mitigation
Siemens has released Service Pack R8.2 SP2 to fix this vulnerability [1]. Users should update to the patched version. No workarounds are documented. As of the advisory publication, no public exploitation was known.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < Service Pack R8.2 SP2
- Siemens/SPPA-T3000 Application Serverv5Range: All versions < Service Pack R8.2 SP2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- packetstormsecurity.com/files/155665/Siemens-Security-Advisory-SPPA-T3000-Code-Execution.htmlmitrex_refsource_MISC
- cert-portal.siemens.com/productcert/pdf/ssa-451445.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.