Skip to main content
(844) 422-7000

Siemens SIMATIC S7-1500 TM MFP

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.8
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: SIMATIC S7-1500 TM MFP
  • Vulnerabilities: Double Free, Use After Free, NULL Pointer Dereference, Buffer Access with Incorrect Length Value, Use of Uninitialized Variable

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, or gain unauthorized access to sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • SIMATIC S7-1500 TM MFP – BIOS: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 DOUBLE FREE CWE-415

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach. The number of the currently released descriptor is never incremented, which results in the same skb being released multiple times.

CVE-2024-41046 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.2 USE AFTER FREE CWE-416

In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode’s list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn’t happen.

CVE-2024-41049 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 NULL POINTER DEREFERENCE CWE-476

In the Linux kernel, the following vulnerability has been resolved: mm: prevent derefencing NULL ptr in pfn_section_valid() Commit 5ec8e8ea8b77 (“mm/sparsemem: fix race in accessing memory_section->usage”) changed pfn_section_valid() to add a READ_ONCE() call around “ms->usage” to fix a race with section_deactivate() where ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough to prevent NULL pointer dereference. We need to check its value before dereferencing it.

CVE-2024-41055 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.4 BUFFER ACCESS WITH INCORRECT LENGTH VALUE CWE-805

In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don’t see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn’t have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).

CVE-2024-42154 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.5 USE OF UNINITIALIZED VARIABLE CWE-457

In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD.

CVE-2024-42161 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Only build and run applications from trusted sources
  • Currently no fix is available

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-503939 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Siemens SiPass integrated AC5102/ACC-G2 and ACC-AP

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.4
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SiPass integrated AC5102 (ACC-G2), SiPass integrated ACC-AP
  • Vulnerabilities: Missing Authentication for Critical Function, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute commands on the device with root privileges and access sensitive data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens SiPass integrated AC5102 (ACC-G2): All versions prior to V6.4.8 (CVE-2024-52285)
  • Siemens SiPass integrated AC5102 (ACC-G2): All versions prior to V6.4.9 (CVE-2025-27493, CVE-2025-27494)
  • Siemens SiPass integrated ACC-AP: All versions prior to V6.4.8 (CVE-2024-52285)
  • Siemens SiPass integrated ACC-AP: All versions prior to V6.4.9 (CVE-2025-27493, CVE-2025-27494)

3.2 VUNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data.

CVE-2024-52285 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-52285. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

Affected devices improperly sanitize user input for specific commands on the telnet command line interface. This could allow an authenticated local administrator to escalate privileges by injecting arbitrary commands that are executed with root privileges.

CVE-2025-27493 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27493. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

Affected devices improperly sanitize input for the pubkey endpoint of the REST API. This could allow an authenticated remote administrator to escalate privileges by injecting arbitrary commands that are executed with root privileges.

CVE-2025-27494 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27494. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Airbus Security reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SiPass integrated AC5102 (ACC-G2), SiPass integrated ACC-AP: Update to V6.4.8 or later version (CVE-2024-52285)
  • SiPass integrated AC5102 (ACC-G2), SiPass integrated ACC-AP: Set an individual strong password for the administrator account “SIEMENS” (CVE-2025-27493, CVE-2025-27494)
  • SiPass integrated AC5102 (ACC-G2), SiPass integrated ACC-AP: Update to V6.4.9 or later version (CVE-2025-27493, CVE-2025-27494)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-515903 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Siemens SINAMICS S200

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SINAMICS S200
  • Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to download untrusted firmware that could damage or compromise the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens SINAMICS S200: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER AUTHENTICATION CWE-287

The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code or to install untrusted firmware. The intrinsic security features designed to protect against data manipulation and unauthorized access are compromised when the bootloader is not secured.

CVE-2024-56336 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-56336. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SINAMICS S200: Follow the general security recommendations and apply defense in depth. Contact your local customer service for further support

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-787280 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

 

Siemens SCALANCE M-800 and SC-600 Families

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 6.3
  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: SCALANCE M-800 family (incl. S615, MUM-800 and RM1224), SCALANCE SC-600 family
  • Vulnerability: Partial String Comparison

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain partial invalid usernames accepted by the server. A remote attacker would need access to a valid certificate in order to perform a successful attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens SCALANCE SC-600 family: All versions
  • Siemens RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2): All versions prior to V8.2.1
  • Siemens SCALANCE M876-3 (6GK5876-3AA02-2BA2): vers: All versions prior to V8.2.1
  • Siemens SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2): All versions prior to V8.2.1
  • Siemens SCALANCE M876-4 (6GK5876-4AA10-2BA2): All versions prior to V8.2.1
  • Siemens SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2): All versions prior to V8.2.1
  • Siemens SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2): All versions prior to V8.2.1
  • Siemens SCALANCE MUB852-1 (A1) (6GK5852-1EA10-1AA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUB852-1 (B1) (6GK5852-1EA10-1BA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1): All versions prior to V8.2.1
  • Siemens RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2): All versions prior to V8.2.1
  • Siemens SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1): All versions prior to V8.2.1
  • Siemens SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1): All versions prior to V8.2.1
  • Siemens SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2): All versions prior to V8.2.1
  • Siemens SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2): All versions prior to V8.2.1
  • Siemens SCALANCE M804PB (6GK5804-0AP00-2AA2): All versions prior to V8.2.1
  • Siemens SCALANCE M812-1 ADSL-Router family: All versions prior to V8.2.1
  • Siemens SCALANCE M816-1 ADSL-Router family: All versions prior to V8.2.1
  • Siemens SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2): All versions prior to V8.2.1
  • Siemens SCALANCE M874-2 (6GK5874-2AA00-2AA2): All versions prior to V8.2.1
  • Siemens SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2): All versions prior to V8.2.1
  • Siemens SCALANCE M874-3 (6GK5874-3AA00-2AA2): All versions prior to V8.2.1

3.2 VULNERABILITY OVERVIEW

3.2.1 PARTIAL STRING COMPARISON CWE-187

Affected devices improperly validate usernames during OpenVPN authentication. This could allow an attacker to get partial invalid usernames accepted by the server.

CVE-2025-23384 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-23384. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.4 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.5 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SCALANCE SC-600 family: Currently no fix is available.
  • RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2), SCALANCE M804PB (6GK5804-0AP00-2AA2), SCALANCE M812-1 ADSL-Router family, SCALANCE M816-1 ADSL-Router family, SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2), SCALANCE M874-2 (6GK5874-2AA00-2AA2), SCALANCE M874-3 (6GK5874-3AA00-2AA2), SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2), SCALANCE M876-3 (6GK5876-3AA02-2BA2), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2), SCALANCE M876-4 (6GK5876-4AA10-2BA2), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2), SCALANCE MUB852-1 (A1) (6GK5852-1EA10-1AA1), SCALANCE MUB852-1 (B1) (6GK5852-1EA10-1BA1), SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1), SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1), SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1), SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1), SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1), SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2), SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2): Update to V8.2.1 or later version.
  • All affected products: Apply a strong password policy for your devices.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-280834 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Siemens SCALANCE LPE9403

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SCALANCE LPE9403
  • Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Check for Dropped Privileges

2. RISK EVALUATION

Successful exploitation of these vulnerabilities allow a remote attacker to execute arbitrary code, read and write arbitrary files, escalate privileges, or execute a limited set of binaries that are present on the filesystem

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Versions prior to V4.0

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Affected devices do not properly sanitize user input when creating new VXLAN configurations. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device.

CVE-2025-27392 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27392. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Affected devices do not properly sanitize user input when creating new users. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device.

CVE-2025-27393 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27393. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Affected devices do not properly sanitize user input when creating new SNMP users. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device.

CVE-2025-27394 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27394. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Affected devices do not properly limit the scope of files accessible through and the privileges of the SFTP functionality. This could allow an authenticated highly-privileged remote attacker to read and write arbitrary files.

CVE-2025-27395 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27395. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER CHECK FOR DROPPED PRIVILEGES CWE-273

Affected devices do not properly limit the elevation of privileges required to perform certain valid functionality. This could allow an authenticated lowly-privileged remote attacker to escalate their privileges.

CVE-2025-27396 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27396. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Affected devices do not properly limit user controlled paths to which logs are written and from where they are read. This could allow an authenticated highly-privileged remote attacker to read and write arbitrary files in the filesystem, if and only if the malicious path ends with ‘log’ .

CVE-2025-27397 has been assigned to this vulnerability. A CVSS v3 base score of 3.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27397. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.7 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Affected devices do not properly neutralize special characters when interpreting user controlled log paths. This could allow an authenticated highly-privileged remote attacker to execute a limited set of binaries that are already present on the filesystem.

CVE-2025-27398 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27398. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Update to V4.0 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-075201 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Siemens Tecnomatix Plant Simulation

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.0
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: Tecnomatix Plant Simulation
  • Vulnerabilities: Files or Directories Accessible to External Parties

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthorized attacker to read or delete arbitrary files or the entire file system of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens Tecnomatix Plant Simulation V2302: All versions prior to V2302.0021
  • Siemens Tecnomatix Plant Simulation V2404: All versions prior to V2404.0010

3.2 VULNERABILITY OVERVIEW

3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

The affected application does not properly restrict access to the file deletion functionality. This could allow an unauthorized attacker to delete files even when access to the system should be prohibited, resulting in potential data loss or unauthorized modification of system files.

CVE-2025-25266 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-25266. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.2 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

The affected application does not properly restrict the scope of files accessible to the simulation model. This could allow an unauthorized attacker to compromise the confidentiality of the system.

CVE-2025-25267 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-25267. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Tecnomatix Plant Simulation V2302: Update to V2302.0021 or later version
  • Tecnomatix Plant Simulation V2404: Update to V2404.0010 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-507653 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Siemens OPC UA

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: OPC UA
  • Vulnerabilities: Observable Timing Discrepancy, Authentication Bypass by Primary Weakness

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to bypass application authentication and gain access to the data managed by the server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Industrial Edge for Machine Tools (formerly known as “SINUMERIK Edge”): All versions (CVE-2024-42513)
  • SIMIT V11: All versions (CVE-2024-42512)
  • SIMATIC BRAUMAT: All versions from V8.0 SP1 up to but not including V8.1 (CVE-2024-42513)
  • SIMATIC Energy Manager PRO: All versions from V7.5 up to but not including V7.5 Update 2
  • SIMATIC Energy Manager PRO: All versions after V7.2 Update 6
  • SIMATIC IPC DiagMonitor: All versions (CVE-2024-42513)
  • SIMATIC SISTAR: All versions from V8.0 SP1 up to but not including V8.1 (CVE-2024-42513)
  • SIMATIC WinCC Unified V18: All versions (CVE-2024-42513)
  • SIMATIC WinCC Unified V19: All versions before V19 Update 4 (CVE-2024-42513)
  • SIMATIC WinCC V8.0: All versions before V8.0 Update 3 (CVE-2024-42513)

3.2 VULNERABILITY OVERVIEW

3.2.1 OBSERVABLE TIMING DISCREPANCY CWE-208

Vulnerability in the OPC UA .NET standard stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.

CVE-2024-42512 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-42512. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305

Vulnerability in the OPC UA .NET standard stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.

CVE-2024-42513 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-42513. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SIMATIC Energy Manager PRO: Update to V7.5 Update 2 or later version.
  • (CVE-2024-42512) SIMATIC Energy Manager PRO, SIMIT V11: Currently no fix is available.
  • (CVE-2024-42513) SIMATIC WinCC Unified V18, SIMATIC WinCC Unified V19: Please note that the affected functionality (HTTPS endpoint in OPC UA server) is deactivated by default in Unified RT. Systems running with default configuration are therefore not affected by this vulnerability.
  • (CVE-2024-42513) SIMATIC IPC DiagMonitor: Please note that the affected functionality (HTTPS endpoint in OPC UA Server) is deactivated by default. Systems running with default configuration are therefore not affected by this vulnerability.
  • (CVE-2024-42513) Industrial Edge for Machine Tools (formerly known as “SINUMERIK Edge”), SIMATIC IPC DiagMonitor: Currently no fix is planned.
  • (CVE-2024-42513) SIMATIC Energy Manager PRO, SIMATIC WinCC Unified V18: Currently no fix is available.
  • (CVE-2024-42513) SIMATIC WinCC Unified V19: Update to V19 Update 4 or later version.
  • (CVE-2024-42513) SIMATIC WinCC V8.0: Update to V8.0 Update 3 or later version.
  • (CVE-2024-42513) SIMATIC BRAUMAT, SIMATIC SISTAR: Update to V8.1 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-858251 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Siemens SINEMA Remote Connect Client

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SINEMA Remote Connect Client
  • Vulnerabilities: Integer Overflow or Wraparound, Unprotected Alternate Channel, Improper Restriction of Communication Channel to Intended Endpoints, Stack-based Buffer Overflow, Unrestricted Upload of File with Dangerous Type, Missing Release of Resource after Effective Lifetime

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to overflow memory buffers, impersonate a legitimate user, maintain longer session times, gain elevated privileges, and execute code remotely.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens SINEMA Remote Connect Client: All versions below V3.2 SP3

3.2 VULNERABILITY OVERVIEW

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

The tap-windows6 driver version 9.26 and earlier does not properly check the size data of incoming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space.

CVE-2024-1305 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-1305. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 UNPROTECTED ALTERNATE CHANNEL CWE-420

If an attacker with SeImeprsonatePrivilege manages to create a named pipe server with a name matching that used by the “Interactive Service”, user interfaces such as OpenVPN-GUI connecting to it could allow the attacker to impersonate the user running the UI.

CVE-2024-4877 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-4877. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER RESTRICTION OF COMMUNICATION CHANNEL TO INTENDED ENDPOINTS CWE-923

The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely which allows a remote attacker to interact with the privileged OpenVPN interactive service.

CVE-2024-24974 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-24974. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 STACK-BASED BUFFER OVERFLOW CWE-121

The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.

CVE-2024-27459 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-27459. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.

CVE-2024-27903 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-27903. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 MISSING RELEASE OF RESOURCE AFTER EFFECTIVE LIFETIME CWE-772

OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session.

CVE-2024-28882 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-28882. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-615740 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Siemens SIMATIC IPC Family, ITP1000, and Field PGs

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: SIMATIC IPC Family, SIMATIC ITP1000, SIMATIC Field PGs
  • Vulnerabilities: Protection Mechanism Failure

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker to alter the secure boot configuration or to disable the BIOS password.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens SIMATIC Field PG M5: All versions
  • Siemens SIMATIC IPC377G: All versions
  • Siemens SIMATIC IPC427E: All versions
  • Siemens SIMATIC IPC477E: All versions
  • Siemens SIMATIC IPC477E PRO: All versions
  • Siemens SIMATIC IPC527G: All versions
  • Siemens SIMATIC IPC627E: Versions prior to 25.02.15
  • Siemens SIMATIC IPC647E: Versions prior to V25.02.15
  • Siemens SIMATIC IPC677E: Versions prior to V25.02.15
  • Siemens SIMATIC IPC847E: Versions prior to V25.02.15
  • Siemens SIMATIC IPC3000 SMART V3: All versions
  • Siemens SIMATIC Field PG M6: Versions prior to V26.01.12 (CVE-2024-56182)
  • Siemens SIMATIC IPC BX-21A: Versions prior to V31.01.07
  • Siemens SIMATIC IPC BX-32A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC BX-39A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC BX-59A: Versions prior to V32.01.04
  • Siemens SIMATIC IPC PX-32A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC PX-39A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC PX-39A PRO: Versions prior to V29.01.07
  • Siemens SIMATIC IPC RC-543B: All versions
  • Siemens SIMATIC IPC RW-543A: All versions
  • Siemens SIMATIC ITP1000: All versions
  • Siemens SIMATIC IPC127E: All versions
  • Siemens SIMATIC IPC277G PRO: All versions
  • Siemens SIMATIC IPC227E: All versions
  • Siemens SIMATIC IPC227G: All versions
  • Siemens SIMATIC IPC277E: All versions
  • Siemens SIMATIC IPC277G: All versions
  • Siemens SIMATIC IPC327G: All versions
  • Siemens SIMATIC IPC347G: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 PROTECTION MECHANISM FAILURE CWE-693

The affected devices have insufficient protection mechanism for the EFI (Extensible Firmware Interface) variables stored on the device. This could allow an authenticated attacker to alter the secure boot configuration without proper authorization by directly communicating with the flash controller.

CVE-2024-56181 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-56181. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 PROTECTION MECHANISM FAILURE CWE-693

The affected devices have insufficient protection mechanism for the EFI (Extensible Firmware Interface) variables stored on the device. This could allow an authenticated attacker to disable the BIOS password without proper authorization by directly communicating with the flash controller.

CVE-2024-56182 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-56182. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Restrict access to root/administrator permission for the operating system
  • SIMATIC IPC627E, SIMATIC IPC647E, SIMATIC IPC677E, SIMATIC IPC847E: Update to V25.02.15 or later version
  • SIMATIC IPC BX-39A, SIMATIC IPC PX-39A, SIMATIC IPC PX-39A PRO, SIMATIC IPC BX-32A, SIMATIC IPC PX-32A: Update to V29.01.07 or later version
  • SIMATIC IPC BX-21A: Update to V31.01.07 or later version
  • SIMATIC IPC BX-59A: Update to V32.01.04 or later version
  • SIMATIC Field PG M6: Update to V26.01.12 or later version
  • SIMATIC Field PG M5, SIMATIC IPC RC-543B, SIMATIC IPC RW-543A, SIMATIC IPC127E, SIMATIC IPC227G, SIMATIC IPC277G, SIMATIC IPC277G PRO, SIMATIC IPC3000 SMART V3, SIMATIC IPC327G, SIMATIC IPC347G, SIMATIC IPC377G, SIMATIC IPC427E, SIMATIC IPC477E, SIMATIC IPC477E PRO, SIMATIC IPC527G, SIMATIC ITP1000, SIMATIC IPC227E, SIMATIC IPC277E: Currently no fix is available

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-216014 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication

Sungrow iSolarCloud Android App WiNet Firmware

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.5
  • ATTENTION: Exploitable remotely
  • Vendor: Sungrow
  • Equipment: iSolarCloud Android App, WiNet Firmware
  • Vulnerabilities: Improper Certificate Validation, Use of a Broken or Risky Cryptographic Algorithm, Authorization Bypass Through User-Controlled Key, User of Hard-Coded Credentials, Stack-Based Buffer Overflow, Heap-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in attackers being able to access and could modify sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Sungrow software products are affected:

  • iSolarCloud Android App: Version 2.1.6 and prior
  • WiNet Firmware: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295

The Android app for iSolarCloud explicitly ignores certificate errors and is vulnerable to adversary-in-the-middle attacks. This may allow an attacker to impersonate the iSolarCloud server and communicate with the Android app.

CVE-2024-50691 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50691. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.2 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

The iSolarCloud Android mobile application uses an insecure AES key to encrypt client data (insufficient entropy). This may allow attackers to decrypt intercepted communications between the mobile app and iSolarCloud.

CVE-2024-50684 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50684. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.3 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639

The iSolarCloud API is vulnerable to multiple insecure direct object references (IDOR) via the powerStationService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.

CVE-2024-50685 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50685. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.4 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639

The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the userService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.

CVE-2024-50693 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50693. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N).

3.2.5 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639

The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the orgService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.

CVE-2024-50689 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50689. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N).

3.2.6 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639

The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the commonService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.

CVE-2024-50686 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50686. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).

3.2.7 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639

The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the devService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.

CVE-2024-50687 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50687. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).

3.2.8 USE OF HARD-CODED CREDENTIALS CWE-798

The iSolarCloud Android application and the cloud use hard-coded MQTT credentials for exchanging the device telemetry. This vulnerability may allow an attacker to gain unauthorized access to user accounts, sensitive information, and execute arbitrary code.

CVE-2024-50688 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50688. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).

3.2.9 USE OF HARD-CODED CREDENTIALS CWE-798

The WiNet’s module firmware contains hardcoded MQTT credentials that could allow an attacker to impersonate a device-facing MQTT broker. This vulnerability may allow an attacker to gain unauthorized access to user accounts, sensitive information, and execute arbitrary code.

CVE-2024-50692 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-50692. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.10 USE OF HARD-CODED PASSWORD CWE-259

The WiNet WebUI contains a hard-coded password that can be used to decrypt all firmware updates. This vulnerability can allow an attacker to gain unauthorized access to accounts.

CVE-2024-50690 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-50690. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.2.11 STACK-BASED BUFFER OVERFLOW CWE-121

When copying the time stamp read from an MQTT message, the underlying code does not check the bounds of the buffer that is used to store the message. This may lead to a stack-based buffer overflow in which an attacker could potentially execute arbitrary code, remotely.

CVE-2024-50694 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-50694. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.12 STACK-BASED BUFFER OVERFLOW CWE-121

When decrypting MQTT messages, the code that parses specific TLV fields does not have sufficient bounds checks. This may result in a stack-based buffer overflow in which an attacker could potentially execute arbitrary code, remotely.

CVE-2024-50697 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-50697. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.13 STACK-BASED BUFFER OVERFLOW CWE-121

There is a potential stack-based buffer overflow when parsing MQTT messages, due to missing MQTT topic bounds checks. The affected products are vulnerable to a stack-based buffer overflow which may allow an attacker to remotely execute arbitrary code.

CVE-2024-50695 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-50695. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.14 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected products are vulnerable to a heap-based buffer overflow, due to bounds checks of the MQTT message content. This vulnerability may allow an attacker to remotely execute arbitrary code.

CVE-2024-50698 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-50698. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.15 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494

The affected products lack proper integrity checks during the update process. This vulnerability allows an attacker to send a specific MQTT message to install potentially harmful firmware files hosted on an attacker-controlled server. This could result in unauthorized control of affected devices.

CVE-2024-50696 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-50696. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Daniel dos Santos, Stanislav Dashevskyi, and Francesco La Spina of Forescout Technologies reported these vulnerabilities to CISA.

4. MITIGATIONS

Sungrow has released updated versions of affected firmware. Users are encouraged to apply version WINET-SV200.001.00.P028 or higher. Users should also update their iSolarCloud Android App to the latest version via device app store. The iSolarCloud has been repaired and requires no further user action.

For more information refer to Sungrow’s security notice.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • March 13, 2025: Initial Publication