In October 2022, a critical vulnerability was identified in the Siemens POWER METER SICAM Q200 family (all versions before V2.70). Design flaws around how web session cookies are managed allow attackers to hijack user sessions and gain unauthorized access to critical control systems. This post will break down exactly how the flaw works, include code snippets to demonstrate the exploit, and point you to the official sources for further reading. If you're in ICS, OT, or critical infrastructure, this is a must-know!

What Is the SICAM Q200 and Why Should You Care?

SICAM Q200 is a family of power meters used for energy monitoring and automation in substations, factories, and data centers. These meters often sit on internal networks but are sometimes internet-exposed for remote management. If an attacker gains access, they can manipulate energy readings, shut down processes, or pivot deeper into industrial networks.

What’s CVE-2022-43398?

CVE-2022-43398 is a specific vulnerability affecting all versions of SICAM Q200 firmware prior to V2.70. The crux of the issue is with session cookies—the part of the login system that keeps you signed into the web interface.

Here’s what’s wrong

1. Session cookies are not renewed after login/out.

Step 1: Prepare the Exploit

An attacker needs the ability to make you visit a link or have you access a specially crafted page. This could be done via:

Compromised internal webpage.

The attacker sets a session cookie in your browser before you visit the SICAM Q200 login page.

Sample JavaScript Snippet

<script>
// Set a known session cookie value before login
document.cookie = "SESSIONID=attackercookie; path=/;";
// Then, redirect to the SICAM Q200 login page
window.location.href = "http://victim-q200.local/login";;
</script>

When you now login, your browser *keeps* the “SESSIONID=attackercookie” value, since the server never re-issues a fresh, random session cookie.

Step 2: Victim Logs In

You log in as normal. The meter's web server doesn’t rotate or reassign your session cookie.

Now, because the attacker *knows* the cookie value (for example, “attackercookie”), they simply use a web client and present this cookie to the device—even from a different machine.

Sample cURL Command

curl -b "SESSIONID=attackercookie" http://victim-q200.local/protected_page

🎯 Boom! The attacker is now logged in *as you*, since the server trusts the cookie.

References

- Siemens Official Advisory - SSA-970155
- National Vulnerability Database: CVE-2022-43398
- ICS-CERT Advisory: ICSA-22-316-10

Final Thoughts

This is a classic case where a simple design flaw (not renewing session tokens on login, and allowing external cookies) puts critical infrastructure at risk. Attackers don’t always need a fancy exploit—they just need the right timing and a little social engineering.

If you’re running SICAM Q200, update your firmware ASAP, and review your network security controls. And always remember: Web security basics—including proper session handling—are just as vital in industrial control as in web apps!


For real-world OT security, always stay patched, watch your network, and keep your users educated.

*Exclusive and summarized just for you—share with your team and stay safe!*

Timeline

Published on: 11/08/2022 11:15:00 UTC
Last modified on: 06/13/2023 09:15:00 UTC