CVE-2017-6870
CVE-2017-6870 is a high-severity vulnerability in Siemens Simatic Wincc Sm@rtclient with a CVSS 3.x base score of 7.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-300.
Key facts
- Severity: High (CVSS 3.x base score 7.4)
- CVSS v2: 5.8
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-300
- Affected product: Siemens Simatic Wincc Sm@rtclient
- Published:
- Last modified:
Description
A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient for Android (All versions before V1.0.2.2). The existing TLS protocol implementation could allow an attacker to read and modify data within a TLS session while performing a Man-in-the-Middle (MitM) attack.
Frequently asked questions
- What is CVE-2017-6870?
- A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient for Android (All versions before V1.0.2.2). The existing TLS protocol implementation could allow an attacker to read and modify data within a TLS session while performing a Man-in-the-Middle (MitM) attack.
- How severe is CVE-2017-6870?
- CVE-2017-6870 has a CVSS 3.x base score of 7.4, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2017-6870 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-6870?
- CVE-2017-6870 affects Siemens Simatic Wincc Sm@rtclient. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2017-6870?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2017-6870 published?
- CVE-2017-6870 was published on 2017-08-08 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/99582
- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-589378.pdf
Affected products (1)
- cpe:2.3:a:siemens:simatic_wincc_sm\@rtclient:*:*:*:*:*:android:*:*
More vulnerabilities in Siemens Simatic Wincc Sm@rtclient
- CVE-2017-6871 — Medium (CVSS 5.4): A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient for Android (All versions before V1.0.2.2) and…
- CVE-2015-5084 — Low (CVSS 2.1): The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly…
- CVE-2014-5231 — Low (CVSS 2.1): The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to extract the…
- CVE-2014-5233 — Low (CVSS 1.9): The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to discover…
- CVE-2014-5232 — Low (CVSS 1.9): The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows local users to bypass an intended…
All CVEs affecting Siemens Simatic Wincc Sm@rtclient →
Other CWE-300 vulnerabilities
- CVE-2023-31004 — High (CVSS 8.3): IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security…
- CVE-2024-31206 — High (CVSS 8.2): dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `[email protected]`, network requests to…
- CVE-2025-31214 — High (CVSS 8.1): This issue was addressed through improved state management. This issue is fixed in iOS 18.5 and iPadOS 18.5. An…
- CVE-2024-36553 — High (CVSS 8.1): Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h is vulnerable to MITM attack.
- CVE-2021-21953 — High (CVSS 8.1): An authentication bypass vulnerability exists in the process_msg() function of the home_security binary of Anker Eufy…
- CVE-2021-41033 — High (CVSS 8.1): In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be…