Siemens and PKE Control Center Server
Act Now9.9ICS-CERT ICSA-21-103-10Apr 13, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Siemens Control Center Server contains multiple vulnerabilities (CWE-317 weak cryptography, CWE-287 authentication bypass, CWE-22 path traversal, CWE-89 SQL injection, CWE-79 XSS, CWE-313 plaintext storage, and others) that allow an authenticated attacker to read and write arbitrary files, access sensitive data, and execute arbitrary commands on the server. Versions before 1.5.0 are affected. Versions 1.5.0 and later have partial mitigations but the advisory indicates "no fix available" for later versions, suggesting some vulnerabilities remain unfixed.
What this means
What could happen
An attacker with network access and valid credentials could read or write arbitrary files on the Control Center Server, steal sensitive configuration or operational data, or execute arbitrary commands that could disrupt process control and operator visibility across the industrial network.
Who's at risk
Water authorities and municipal utilities managing Siemens Control Center Servers (CCS) used to supervise SCADA networks, RTUs, PLCs, and field devices. Engineering and operations staff who rely on the CCS for process monitoring and configuration are at risk if credentials are compromised or the server is exposed to the network.
How it could be exploited
An attacker first authenticates to the Control Center Server using valid credentials (or default/weak credentials if not changed). Once authenticated via the web interface (port 5444) or FTP service (port 5440), the attacker can exploit multiple weaknesses including path traversal and insufficient input validation to read sensitive files, write malicious configuration files, or achieve remote code execution to run arbitrary commands on the server.
Prerequisites
- Network access to Control Center Server on ports 5444/TCP (web interface) or 5440/TCP (FTP service)
- Valid user credentials for the CCS system, or default/unchanged credentials if not hardened
- Web interface or FTP service must be enabled on the CCS
Remotely exploitable via network ports 5444 and 5440Requires valid user credentials for exploitationLow attack complexity once authenticatedCritical CVSS score (9.9) with high integrity and confidentiality impactAffects SCADA/process control visibility and supervisory operationsPartial fix: versions >= 1.5.0 still vulnerable to some issues; no fix planned for those versions
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Control Center Server (CCS)< V1.5.01.5.0
Control Center Server (CCS)≥ V1.5.01.5.0
Remediation & Mitigation
0/9
Do now
0/5Control Center Server (CCS)
WORKAROUNDDisable the web interface of CCS if not used, or restrict web access to localhost only and limit to trusted administrator hosts
WORKAROUNDEnable TLS encryption for the CCS web interface to protect credentials and data in transit
HARDENINGConfigure firewall ACLs to restrict network access to CCS ports (5444, 5440) to only legitimate systems and administrative workstations
HARDENINGEnforce strong authentication, change all default credentials, and prevent unauthorized local access to the CCS server
All products
WORKAROUNDDisable the FTP service on Control Center Server if not required for operations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Control Center Server to version 1.5.0 or later if available
Long-term hardening
0/3Control Center Server (CCS)
HARDENINGImplement IPSec or application-level encryption and authentication mechanisms for network traffic to and from the CCS
HARDENINGIsolate the CCS and control system networks from the business network and Internet with firewalls and network segmentation
All products
HARDENINGMonitor network traffic on ports 5444/TCP and 5440/TCP for unauthorized access attempts
CVEs (12)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d3269145-11cd-4b19-9749-f31517ab2b06