Siemens Automation License Manager Vulnerabilities

Act Now9.1ICS-CERT ICSA-16-287-02Jul 17, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Automation License Manager (ALM) contains multiple critical vulnerabilities (CWE-400 resource exhaustion, CWE-89 SQL injection, CWE-22 path traversal). These flaws allow remote exploitation with high impact on confidentiality and availability of the licensing system that controls software feature enablement across your automation infrastructure.

What this means

What could happen

An attacker could inject SQL commands, traverse file paths, or exhaust resources on the license manager, potentially disabling access to critical automation software or corrupting licensing data for your control systems.

Who's at risk

Organizations running Siemens automation software (PLC/SCADA engineering tools, engineering workstations, industrial control systems) rely on the Automation License Manager to validate and enable software features. Water authorities and utilities using Siemens TIA Portal, PCS 7, or similar engineering suites should be concerned, particularly if the license manager is reachable from process networks or untrusted networks.

How it could be exploited

An attacker with network access to the Automation License Manager service (typically port 8443 or similar) can send specially crafted requests containing SQL injection payloads or path traversal sequences. No authentication is required. The attacker could read/modify the license database, disable license validation, or crash the service, disrupting software activation across your plant.

Prerequisites

Network access to the ALM service port (default 8443)
No credentials required
ALM version V5.3_SP3_Update_1 or earlier

remotely exploitableno authentication requiredlow complexityno patch availableSQL injection enables data modification

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

ALM: <V5.3_SP3_Update_1<V5.3 SP3 Update 1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGIsolate the Automation License Manager on a protected network segment (e.g., engineering VLAN) and restrict access via firewall rules to only authorized engineering workstations.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXIf possible, contact Siemens to determine if a patch or workaround is available beyond V5.3_SP3_Update_1. For end-of-life products, plan migration to supported ALM versions.

WORKAROUNDIf ALM is only needed during maintenance windows, disable or isolate the service when not in use.

Mitigations - no patch available

0/1

ALM: <V5.3_SP3_Update_1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor ALM service logs for unusual SQL syntax, path traversal attempts, or repeated connection failures that may indicate exploitation attempts.

CVEs (3)

CVE-2016-8563 CVE-2016-8564 CVE-2016-8565

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1cd19292-71aa-43d0-865f-1f46bb72de54