Siemens XHQ Operations Intelligence

Plan Patch8.8ICS-CERT ICSA-19-344-05Dec 10, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens XHQ Operations Intelligence contains multiple vulnerabilities (CWE-352 cross-site request forgery, CWE-80 improper neutralization of input during web page generation, CWE-20 improper input validation) that allow remote attackers to execute arbitrary actions or read sensitive data through a web browser without authentication. The vulnerabilities affect all versions before 6.0.0.2 and are exploitable via user interaction (clicking a malicious link or visiting a compromised site).

What this means

What could happen

An attacker could trick a user into visiting a malicious website to execute unauthorized commands on XHQ, potentially altering monitoring data, process parameters, or administrative settings that affect industrial operations. This could result in loss of visibility into operations or unauthorized configuration changes.

Who's at risk

Plant managers, operations technicians, and engineering staff who use Siemens XHQ Operations Intelligence for monitoring and controlling industrial processes, particularly in water utilities, electric utilities, and discrete manufacturing that depend on visibility and remote administration of XHQ systems.

How it could be exploited

An attacker crafts a malicious web link or page that exploits the CSRF and input validation flaws in XHQ. When an authenticated XHQ user clicks the link or visits the compromised site, the attacker's browser executes actions on their behalf or injects malicious code that runs in the XHQ interface. This requires user interaction but no direct network access to XHQ.

Prerequisites

User with valid XHQ login credentials must be active or logged in
User must click malicious link or visit attacker-controlled website while XHQ session is active
XHQ must be accessible over HTTP (unencrypted connection increases risk)

Remotely exploitable over the networkLow complexity attack (social engineering via link)High CVSS score (8.8)Requires user interaction but no specialized toolsUser authentication bypass through CSRF

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

XHQ: All<V6.0.0.26.0.0.2

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDEnforce HTTPS-only communications to XHQ; disable HTTP access

HARDENINGFollow Siemens XHQ documentation to implement secure IIS (Internet Information Services) configuration

HARDENINGRestrict network access to XHQ to authorized engineering workstations and admin terminals only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate XHQ Operations Intelligence to version 6.0.0.2 or later

Long-term hardening

0/1

HARDENINGTrain users not to click unsolicited links or open attachments in email, especially those referencing XHQ or industrial systems

CVEs (3)

CVE-2019-13930 CVE-2019-13931 CVE-2019-13932

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/01dbe5d8-c17c-4f4c-908c-dadc16319c85