OTPulse
FeedAboutContact

Siemens License Management Utility

Plan Patch7.8ICS-CERT ICSA-20-252-03Sep 8, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Siemens License Management Utility (LMU) versions prior to 2.4 contain an improper privilege handling vulnerability (CWE-250) that allows a local user with limited privileges to gain elevated permissions on the Windows Server where LMU is installed. This could enable unauthorized access to license management functions and potentially the underlying system.

What this means
What could happen
A local user with limited access to the LMU server could escalate their privileges to gain administrative control of the system, potentially allowing unauthorized modifications to license configurations or system settings that support industrial operations.
Who's at risk
Energy sector organizations operating Siemens License Management Utility on Windows Servers should prioritize this fix. This affects IT staff managing Siemens software licensing infrastructure in power generation, transmission, and distribution environments where license management supports operational tools and safety systems.
How it could be exploited
An attacker with local user access to the Windows Server running LMU exploits the privilege handling flaw to escalate to administrator-level privileges. Once elevated, the attacker could modify license management settings, disable licensing restrictions, or access sensitive system resources supporting OT operations.
Prerequisites
  • Local user account on the Windows Server where LMU is installed
  • Low privilege (non-administrator) credentials
  • Physical or remote desktop access to the LMU server
local privilege escalationlow attack complexityno authentication required once local access obtainedactively monitored by CISA (KEV candidate)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
License Management Utility (LMU): All<V2.42.4
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict local user account creation on LMU servers to trusted personnel only
HARDENINGRestrict physical and remote desktop access to LMU servers to authorized administrators only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Siemens License Management Utility to version 2.4 or later on all affected systems
HARDENINGApply Windows Server security hardening per corporate security policies and current industry guidelines (disable unnecessary services, apply principle of least privilege)
Long-term hardening
0/1
HARDENINGPlace LMU servers behind firewalls and isolate from business network if possible; use network segmentation to limit access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9af18a4f-20f3-41ac-a2ba-46604e36a99c
Siemens License Management Utility | CVSS 7.8 - OTPulse