Details of VAR-202507-0189

ID

VAR-202507-0189

CVE

CVE-2024-31854

TITLE

Siemens' SICAM TOOLBOX II Certificate validation vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2024-027292

DESCRIPTION

A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.11). During establishment of a https connection to the TLS server of a managed device, the affected application doesn't check device's certificate common name against an expected value. This could allow an attacker to execute an on-path network (MitM) attack. Siemens' SICAM TOOLBOX II Exists in a certificate validation vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SICAM TOOLBOX II is an engineering software of Siemens, Germany. The vulnerability is caused by not checking the common name of the device certificate. Attackers can exploit this vulnerability to cause man-in-the-middle attacks

Trust: 2.16

sources: NVD: CVE-2024-31854 // JVNDB: JVNDB-2024-027292 // CNVD: CNVD-2025-16621

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-16621

AFFECTED PRODUCTS

vendor:	siemens	model:	sicam toolbox ii	scope:	lt	version:	07.11	Trust: 1.0
vendor:	シーメンス	model:	sicam toolbox ii	scope:	eq	version:	07.11	Trust: 0.8
vendor:	シーメンス	model:	sicam toolbox ii	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	sicam toolbox ii	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	sicam toolbox ii	scope:	lt	version:	v07.11	Trust: 0.6

sources: CNVD: CNVD-2025-16621 // JVNDB: JVNDB-2024-027292 // NVD: CVE-2024-31854

CVSS

SEVERITY

CVSSV2

CVSSV3

productcert@siemens.com:	CVE-2024-31854
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-31854
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-31854
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-16621
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-16621
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

productcert@siemens.com:	CVE-2024-31854
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-31854
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-16621 // JVNDB: JVNDB-2024-027292 // NVD: CVE-2024-31854 // NVD: CVE-2024-31854

PROBLEMTYPE DATA

problemtype:	CWE-295	Trust: 1.0
problemtype:	Illegal certificate verification (CWE-295) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-027292 // NVD: CVE-2024-31854

PATCH

title:

Patch for Siemens SICAM TOOLBOX II Trust Management Issue Vulnerability (CNVD-2025-16621)

url:

https://www.cnvd.org.cn/patchInfo/show/711126

Trust: 0.6

sources: CNVD: CNVD-2025-16621

EXTERNAL IDS

db:	NVD	id:	CVE-2024-31854	Trust: 3.2
db:	SIEMENS	id:	SSA-183963	Trust: 2.4
db:	JVN	id:	JVNVU99667406	Trust: 0.8
db:	JVNDB	id:	JVNDB-2024-027292	Trust: 0.8
db:	CNVD	id:	CNVD-2025-16621	Trust: 0.6

sources: CNVD: CNVD-2025-16621 // JVNDB: JVNDB-2024-027292 // NVD: CVE-2024-31854

REFERENCES

url:	https://cert-portal.siemens.com/productcert/html/ssa-183963.html	Trust: 2.4
url:	https://jvn.jp/vu/jvnvu99667406/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-31854	Trust: 0.8

sources: CNVD: CNVD-2025-16621 // JVNDB: JVNDB-2024-027292 // NVD: CVE-2024-31854

SOURCES

db:	CNVD	id:	CNVD-2025-16621
db:	JVNDB	id:	JVNDB-2024-027292
db:	NVD	id:	CVE-2024-31854

LAST UPDATE DATE

2025-08-24T22:52:23.310000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-16621	date:	2025-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2024-027292	date:	2025-08-21T09:14:00
db:	NVD	id:	CVE-2024-31854	date:	2025-08-20T16:17:45.790

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-16621	date:	2025-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2024-027292	date:	2025-08-21T00:00:00
db:	NVD	id:	CVE-2024-31854	date:	2025-07-08T11:15:24.180