ICSA-18-093-01 Siemens Building Technologies Products (Update A)
Act Now9.8ICS-CERT ICSA-18-093-01Mar 28, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Siemens building management and automation products contain input validation vulnerabilities that allow unauthenticated remote code execution. The vulnerabilities exist in License Management System, Desigo ABT, Desigo CC, Desigo Configuration Manager, Desigo XWP, SiteIQ Analytics, Siveillance Identity, and Annual Shading. Affected versions range from older releases through specific recent builds. An attacker can exploit these flaws to execute arbitrary commands on the management infrastructure without any valid credentials.
What this means
What could happen
An attacker can execute arbitrary code remotely on Siemens building management systems without authentication, potentially allowing them to alter HVAC settings, disable fire safety controls, or shut down critical building infrastructure operations.
Who's at risk
Building automation and facility management operators using Siemens Desigo systems (Desigo ABT, Desigo CC, Desigo XWP, Desigo Configuration Manager), SiteIQ Analytics, License Management System, and related infrastructure management products. This affects any organization managing HVAC, lighting, fire safety, or access control through these Siemens platforms.
How it could be exploited
An attacker on the network can send a specially crafted request to a vulnerable Siemens building management service. The service processes the request without proper input validation or authentication, allowing arbitrary code execution on the management server. Once compromised, the attacker can modify building automation logic, access sensitive configuration data, or disrupt facility operations.
Prerequisites
- Network access to the Siemens management server on its service ports
- No authentication credentials required
- Vulnerable product version must be running
Remotely exploitableNo authentication requiredLow complexity attackCVSS 9.8 criticalAffects building safety and availability systemsNo fixes available for most products except LMS
Exploitability
Moderate exploit probability (EPSS 8.3%)
Affected products (8)
1 with fix7 EOL
ProductAffected VersionsFix Status
Siveillance IdentityV1.1No fix (EOL)
License Management System (LMS)<V2.1 SP3 2.1.6702.1 SP4 (2.1.681)
Annual ShadingV1.0.4 | V1.1No fix (EOL)
Desigo CCMP1.1 | MP2.0 | MP2.1 | MP3.0No fix (EOL)
Desigo Configuration Manager (DCM)V6.10.140No fix (EOL)
Desigo XWPV5.00.204 | V5.00.260 | V5.10.142 | V5.10.212 | V6.00.184 | V6.00.342 | V6.10.172No fix (EOL)
SiteIQ AnalyticsV1.1, V1.2, and V1.3No fix (EOL)
Desigo ABTMP1.1 Build 845 | MP1.15 Build 360 | MP1.16 Build 055 | MP1.2 Build 850 | MP1.2.1 Build 318 | and MP2.1 Build 965No fix (EOL)
Remediation & Mitigation
0/2
Do now
0/2License Management System (LMS)
HOTFIXUpdate License Management System (LMS) to version 2.1 SP4 (2.1.681) or newer. For Desigo CC MP2.1 or older, upgrade ALM Manager before applying LMS update.
All products
HARDENINGIsolate Siemens building management servers from external networks and untrusted internal networks using firewalls. Restrict access to management interfaces to authorized engineering workstations only.
CVEs (8)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/bdfcbe82-2547-4ee1-b5f2-c2c1ae721f49