CVE-2019-18284
Description
A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). The AdminService is available without authentication on the Application Server. An attacker can use methods exposed via this interface to receive password hashes of other users and to change user passwords. Please note that an attacker needs to have access to the Application Highway in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated AdminService in SPPA-T3000 Application Server before R8.2 SP2 exposes methods to fetch password hashes and change user passwords.
Vulnerability
The SPPA-T3000 Application Server, in all versions prior to Service Pack R8.2 SP2, exposes the AdminService without authentication [1]. This service provides methods that can be used to retrieve password hashes of other users and to modify user passwords. No special configuration beyond default deployment is required for this attack surface to be reachable.
Exploitation
An attacker must have network access to the Application Highway to reach the vulnerable AdminService [1]. No authentication is needed. By invoking the exposed methods, the attacker can enumerate password hashes and subsequently change passwords of other users without authorization.
Impact
Successful exploitation allows an attacker to obtain password hashes (leading to credential disclosure) and to arbitrarily change user passwords. This can result in full compromise of user accounts and potentially elevate access privileges within the application server. The confidentiality and integrity of the system are affected.
Mitigation
Siemens has released Service Pack R8.2 SP2 to address this vulnerability [1]. Users should upgrade to this version or later. No workarounds are documented. At the time of publication, no public exploitation was known [1], and the CVE is not listed in the KEV catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < Service Pack R8.2 SP2
- Siemens/SPPA-T3000 Application Serverv5Range: All versions < Service Pack R8.2 SP2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- packetstormsecurity.com/files/155665/Siemens-Security-Advisory-SPPA-T3000-Code-Execution.htmlmitrex_refsource_MISC
- cert-portal.siemens.com/productcert/pdf/ssa-451445.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.