Siemens released security updates for several of its SCADA (supervisory control and data acquisition) products for industrial environments, in order to fix critical vulnerabilities that may have been exploited in recent attacks.
One of the vulnerabilities allows unauthenticated attackers to remotely execute arbitrary code on a Siemens SIMATIC WinCC SCADA server by sending specially crafted packets to it. The flaw received the maximum severity score of 10 in the Common Vulnerability Scoring System and can lead to a full system compromise.
The other vulnerability can also be exploited by unauthenticated attackers by sending specially crafted packets, but to extract arbitrary files from the WinCC server. The flaw has a CVSS score of 7.8.