CVE-2022-43722 is a high-severity vulnerability affecting Siemens SICAM PAS/PQS software versions prior to 7.0. The root cause is an uncontrolled search path element (CWE-427) vulnerability, where the software does not properly secure the directory containing critical library files (DLLs). This improper security allows an attacker with limited local access to place a malicious DLL into the vulnerable folder. When the affected service starts and loads this DLL, it executes the attacker's code with SYSTEM-level privileges, effectively granting full control over the affected system. The vulnerability requires local access and user interaction to trigger the DLL loading, but no prior authentication is needed. The CVSS 3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability due to the SYSTEM-level code execution. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to industrial control systems and critical infrastructure environments that rely on SICAM PAS/PQS for power automation and substation control. Siemens has released versions 7.0 and later to address this issue, superseding the vulnerable versions. The vulnerability is particularly critical because it allows privilege escalation from local user to SYSTEM, potentially enabling attackers to disrupt or manipulate industrial processes.

For European organizations, especially those in the energy and utilities sectors, this vulnerability presents a serious threat. SICAM PAS/PQS is widely used in power automation and substation control systems across Europe, where industrial control system security is paramount. Exploitation could lead to unauthorized control over critical infrastructure, causing operational disruptions, data breaches, or sabotage. The SYSTEM-level execution could allow attackers to disable safety mechanisms, alter configurations, or cause outages, impacting grid stability and public safety. Given the strategic importance of energy infrastructure in Europe and increasing geopolitical tensions, threat actors may be motivated to exploit such vulnerabilities to cause economic or societal harm. Additionally, the vulnerability's requirement for local access means that insider threats or attackers who gain initial footholds via other means could leverage this flaw to escalate privileges and move laterally within networks. The lack of known exploits in the wild does not diminish the risk, as the vulnerability is straightforward to exploit once local access is obtained.

1. Immediate upgrade to Siemens SICAM PAS/PQS version 7.0 or later, where this vulnerability is patched, is the most effective mitigation. 2. Restrict and monitor local access to systems running SICAM PAS/PQS, ensuring only authorized personnel can access the file system and service control interfaces. 3. Implement application whitelisting and integrity monitoring on directories containing DLLs to detect or prevent unauthorized file modifications. 4. Harden endpoint security by disabling unnecessary user accounts and enforcing least privilege principles to reduce the risk of local exploitation. 5. Employ network segmentation to isolate industrial control systems from general IT networks, limiting the ability of attackers to gain local access. 6. Regularly audit and monitor system logs for suspicious DLL loading or service restarts that could indicate exploitation attempts. 7. Use endpoint detection and response (EDR) tools capable of detecting anomalous DLL injections or privilege escalation behaviors. 8. Conduct security awareness training for personnel with local access to these systems to recognize and report suspicious activities. These measures, combined with patching, will significantly reduce the risk posed by this vulnerability.