This vulnerability in Siemens Industrial Edge Management Pro products arises from improper enforcement of user authentication on remote device connections. Versions affected include Industrial Edge Management Pro V1 (>= V1.7.6 and < V1.15.17), V2 (>= V2.0.0 and < V2.1.1), and Industrial Edge Management Virtual (>= V2.2.0 and < V2.8.0). An attacker who identifies the remote connection header and port and confirms the remote connection feature is enabled can bypass authentication and impersonate a legitimate user, allowing tunneling to the device. However, security features on the device itself, such as app-specific authentication, are not impacted. The CVSS 3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability.

Successful exploitation allows an unauthenticated remote attacker to bypass authentication controls on remote connections to devices managed by the affected Siemens Industrial Edge Management Pro products. This can lead to unauthorized access and impersonation of legitimate users, potentially compromising confidentiality, integrity, and availability of the management system. However, device-level security features remain intact, limiting the scope of impact to the management system's remote connection interface.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider disabling the remote connection feature if not required, restrict network access to the management system to trusted sources, and monitor for any unusual remote connection attempts. Follow Siemens' official advisories for updates on patches or mitigations.