The Softing PSIRT is a central team at Softing tasked with managing the investigation and disclosure of security vulnerabilities. All reports about possible vulnerabilities or other security incidents in connection with Softing products can be forwarded to the Softing PSIRT. The Softing PSIRT coordinates and maintains communication with everyone involved, both internally and externally, so that it can provide an appropriate response to any security problems that are identified.
Disclosing vulnerabilities enables us to fix these vulnerabilities and inform customers using the products in question about the fix. This approach can help us to keep making our products more secure and above all support Softing customers in managing security risks.
If you think you have uncovered a security vulnerability in a Softing product, please report it by email to psirt[at]softing[dot]com.
Please include the following information with your report:
The Softing PSIRT process is based on the FIRST framework and follows its four steps:
Discovery, Triage, Remediation, Disclosure.
Softing will ensure that the information is sent to a select group of designated Softing employees with experience in dealing with incidents of this type: the Softing Product Security Incident Response Team (PSIRT). Neither unauthorized employees nor external users will have access to the information you send.
In addition, Softing will ensure that the identity and contact details of the security expert are kept confidential and not published in any public statements (advisories and bulletins) unless explicitly requested by the security expert. The Softing PSIRT will investigate the reported vulnerability and contact you as soon as possible.
The Softing PSIRT investigates all reports of security problems and publishes security advisories about validated security vulnerabilities that affect Softing products directly and require either a software update, software upgrade or another action by the customer. As part of ongoing efforts to support operators in addressing security risks and in ensuring the protected operation of systems, the Softing PSIRT publishes information that operators need to evaluate the ramifications of a security vulnerability.
We publish information about vulnerabilities in Softing products and new or updated security advisories on our web pages.
Click here to download our PGP key
Fingerprint: 220C 4E9E 9A71 17BB C8E1 F863 0D5C 307C CACE DEDC
Languages: German or English
Transmission: preferably encrypted
ID | Title | CVE | CVSS Score | Products | Date | Download |
SYT-2024-2 | Missing release of memory vulnerability in uaToolkit Embedded and smartLink | CVE-2024-25075 | 6.5 | uaToolkit Embedded | 09.03.2024 | |
SYT-2024-1 | Cross-site scripting vulnerability in TH SCOPE | CVE-2023-37571 | 9.8 | TH SCOPE | 24.01.2024 | HTML JSON |
ID | Title | CVE | CVSS Score | Products | Date | Download |
SYT-2023-9 | Multiple vulnerabilities in edgeConnector, edgeAggregator and Secure Integration Server | CVE-2023-27335 CVE-2023-38125 CVE-2023-38126 | 6.6 7.2 7.2 | edgeConnector edgeAggregator Secure Integration Server | 01.12.2023 | HTML JSON |
SYT-2023-8 | Path Traversal vulnerability in edgeConnector, edgeAggregator and Secure Integration Server | CVE-2023-39482 | 4.9 | edgeConnector edgeAggregator Secure Integration Server | 01.12.2023 | HTML JSON |
SYT-2023-7 | NULL pointer dereference vulnerability in edgeConnector, edgeAggregator and Secure Integration Server | CVE-2023-27336 | 7.5 | edgeConnector edgeAggregator Secure Integration Server | 30.11.2023 | HTML JSON |
SYT-2023-6 | Relative path transversal vulnerability in Secure Integration Server | CVE-2023-39481 | 7.2 | Secure Integration Server | 30.11.2023 | HTML JSON |
SYT-2023-5 | Improper access control vulnerability in OPC Suite | CVE-2023-37572 | 5.6 | OPC Suite | 29.11.2023 | HTML JSON |
SYT-2023-4 | Improper input validation vulnerability in edgeConnector Siemens | CVE-2023-6358 | 4.9 | edgeConnector Siemens | 28.11.2023 | HTML JSON |
SYT-2023-3 | Uncaught exception vulnerability in OPC UA C++ SDK, Secure Integration Server and OPC Suite | CVE-2023-41151 | 7.5 | OPC UA C++ SDK | 07.11.2023 | |
SYT-2023-2 | Bypass of limitations and relative path transversal vulnerability in OPC UA C++ SDK and Secure Integration Server | CVE-2023-29377 CVE-2023-29378 | 7.7 | OPC UA C++ SDK Secure Integration Server | 05.06.2023 | HTML JSON |
SYT-2023-1 | Uncontrolled resource consumption vulnerability in OPC UA C++ SDK, edgeConnector, edgeAggregator and Secure Integration Server | CVE-2023-27334 | 7.5 | OPC UA C++ SDK Secure Integration Server edgeConnector edgeAggregator | 05.06.2023 | HTML JSON |
ID | Title | CVE | CVSS Score | Products | Date | Download |
SYT-2022-11 | Multiple vulnerabilities in smartLink SW-HT | CVE-2022-48192 CVE-2022-48193 | 7.2 | smartLink SW-HT | 29.12.2022 | HTML JSON |
SYT-2022-10 | Multiple vulnerabilities in uaToolkit Embedded and smartLink HW-DP | CVE-2022-44018 CVE-2022-45920 | 7.5 | uaToolkit Embedded smartLink HW-DP | 28.12.2022 | HTML JSON |
SYT-2022-9 | Improper input validation vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector, edgeAggregator, uaGate and OPC Suite | CVE-2022-37453 | 7.5 | OPC UA C++ SDK Secure Integration Server edgeConnector edgeAggregato uaGate OPC Suite | 14.10.2022 | HTML JSON |
SYT-2022-8 | Use after free vulnerability in OPC UA C++ SDK and OPC Suite | CVE-2022-39823 | 7.5 | OPC UA C++ SDK OPC Suite | 14.10.2022 | HTML JSON |
SYT-2022-7 | NULL pointer dereference vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector and edgeAggregator | CVE-2022-1748 | 7.5 | OPC UA C++ SDK Secure Integration Server edgeConnector edgeAggregator | 29.07.2022 | HTML JSON |
SYT-2022-6 | Default credentials authentication bypass vulnerability in Secure Integration Server, edgeConnector and edgeAggregator | CVE-2022-2336 | 9.8 | Secure Integration Server edgeConnector edgeAggregator | 27.07.2022 | HTML JSON |
SYT-2022-5 | Remote code execution vulnerability in configuration restore functionality of Secure Integration Server | CVE-2022-2334 CVE-2022-1373 CVE-2022-2338 | 7.2 | Secure Integration Server | 27.07.2022 | HTML JSON |
SYT-2022-4 | Multiple denial of service vulnerabilities in FastCGI interface of Secure Integration Server | CVE-2022-1069 CVE-2022-2337 CVE-2022-2335 CVE-2022-2547 | 7.5 | Secure Integration Server | 27.07.2022 | HTML JSON |
SYT-2022-3 | Multiple vulnerabilities in the OPC UA .NET Standard SDK and the OPC UA .NET SDK | CVE-2022-29862 CVE-2022-29863 CVE-2022-29864 CVE-2022-29865 | 7.5 | OPC UA .NET Standard SDK OPC UA .NET SDK | 22.07.2022 | HTML JSON |
SYT-2022-2 | Vulnerabilities in the OpenSSL used in the OPC UA C++ SDK | CVE-2022-0778 | 7.5 | OPC UA C++ SDK | 15.03.2022 | HTML JSON |
SYT-2022-1 | Multiple vulnerabilities in the OPC UA C++ SDK | CVE-2021-42262 CVE-2021-42577 | 7.5 | OPC UA C++ SDK OPC Suite Secure Integration Server | 09.03.2022 | HTML JSON |
Description | Category | CVE | Date | Product | Fixed in Version |
Possible memory corruption in BT controller | Medium | CVE-2021-35093 | 06.12.2021 | mobiLink | N. A. |
CWE 20: Improper Input Validation | High | CVE-2021-40872 | 08.11.2021 | uaToolkit Embedded smartLink HW DP | 1.40 planned for 1.19 |
CWE 415: Double Free | High | CVE-2021-40873 | 08.11.2021 | uaToolkit Embedded OPC UA C++ SDK TH SCOPE dataFEED OPC Suite Secure Integration Server edgeConnector uaGates | 1.40 5.66 N. A. 5.18 planned for 1.30 3.10 1.73 |
CWE 20: Improper Input Validation | Medium | CVE-2021-40871 | 08.11.2021 | OPC UA C++ SDK TH SCOPE dataFEED OPC Suite Secure Integration Server | 5.66 N. A. 5.18 planned for 1.30 |
Improper Restriction of Operations within the Bounds of a Memory Buffer | High | CVE-2021-32994 | 17.06.2021 | OPC UA C++ SDK | 5.65 |
Endless recursion in XML Structures | High | CVE: 2021-27432 | 17.02.2021 | OPC UA .NET Standard SDK OPC UA .NET SDK | 2.80 1.48 |
Privilege Elevation vulnerability | medium | CVE: 2020-29457 | 15.02.2021 | OPC UA .NET Standard SDK | 2.80 |
Description | Category | CVE | Date | Product | Fixed in Version |
HEAP-BASED BUFFER OVERFLOW | High | CVE-2020-14524 | 28.07.2020 | OPC Classic SDK | 4.47.1 |
UNCONTROLLED RESOURCE CONSUMPTION | High | CVE-2020-14522 | 28.07.2020 | OPC Classic SDK | 4.47.1 |
Servers do not create sufficiently random numbers | High | CVE-2019-19135 | 10.03.2020 | .NET Standard SDK | 2.40 |
Servers do not create sufficiently random numbers | High | CVE-2019-19135 | 10.03.2020 | dataFEED C++ SDK | 5.62 |
Description | Category | CVE | Date | Product | Fixed in Version |
Authenticated remote code execution possible | High | CVE-2019-15051 | 10.10.2019 | uaGate SI uaGate MB uaGate840D edgeGate | 1.72.00.1996 |
Sudo privilege escalation | High | CVE-2019-11526 | 10.10.2019 | uaGate SI uaGate MB uaGate840D edgeGate | 1.71.00.1225 |
Another authenticated remote code execution | High | CVE-2019-11527 | 10.10.2019 | uaGate SI uaGate MB uaGate840D edgeGate | 1.72.00.1996 |
Default unix user permissons | High | CVE-2019-11528 | 10.10.2019 | uaGate SI uaGate MB uaGate840D edgeGate | 1.71.00.1225 |
No representations are made as to the completeness or accuracy of the listing above. This information is provided without any guarantee or warranty of any kind, either explicit or tacit. We reserve the right to change or update the content of this website without notice at any time. The free update enables you to prevent or limit the consequences of damage resulting from security vulnerabilities. We cannot be held liable for any consequences arising from any omission in this regard. Security vulnerabilities cannot be removed in every case for products which have already reached their end-of-life cycle.
It stands for Common Vulnerabilities and Exposures (CVE) and is an industry standard that aims to introduce a common naming convention for vulnerabilities and other security issues in computer systems. Multiple naming of the same threats by different companies and institutions is supplemented by a serial number (e.g. CVE-2006- 3086) to ensure clear identification of the vulnerability. This enables a smooth exchange of information between the various databases of individual manufacturers.