Siemens APOGEE and TALON
Act Now9.8ICS-CERT ICSA-21-257-07Sep 14, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability exists in the integrated web server of APOGEE MBC, MEC, PXC (Compact and Modular) and TALON TC (Compact and Modular) devices when configured for P2 Ethernet or BACnet protocols. The vulnerability allows remote code execution with root privileges without authentication. Siemens has released firmware version 3.5.3 for BACnet variants of PXC and TALON TC devices. However, no fixes are available for APOGEE MBC, MEC, or the P2 Ethernet variants of PXC and TALON TC. Siemens recommends disabling the web server, restricting access to ports 80 and 443 to trusted addresses, and implementing network segmentation as compensating controls.
What this means
What could happen
An attacker with network access to the web interface could execute arbitrary commands with root privileges on APOGEE and TALON automation controllers, potentially disrupting HVAC, building automation, or energy management systems that depend on these devices for setpoint control and operational oversight.
Who's at risk
Water authorities and utilities operating Siemens APOGEE or TALON building automation and energy management systems. This includes facilities using APOGEE MBC/MEC controllers with P2 Ethernet connectivity, APOGEE PXC Compact/Modular controllers (BACnet or P2 Ethernet), and TALON TC Compact/Modular controllers for HVAC control, energy monitoring, or facility management. Impacts both small municipal systems and large enterprise campuses.
How it could be exploited
An attacker sends a specially crafted request to the integrated web server (port 80 or 443) of a vulnerable device. The buffer overflow in the web server allows the attacker to inject and execute arbitrary code with root-level privileges on the device. No authentication is required.
Prerequisites
- Network reachability to the device on port 80/TCP or 443/TCP
- Device running a vulnerable firmware version
- Web server enabled (default state)
Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)No patch available for P2 Ethernet variantsAffects building/energy management systems
Exploitability
Moderate exploit probability (EPSS 2.9%)
Affected products (8)
4 with fix4 EOL
ProductAffected VersionsFix Status
APOGEE PXC Compact (BACnet)<V3.5.33.5.3
APOGEE MBC (PPC) (P2 Ethernet)≥ V2.6.3No fix (EOL)
APOGEE MEC (PPC) (P2 Ethernet)≥ V2.6.3No fix (EOL)
APOGEE PXC Compact (P2 Ethernet)≥ V2.8No fix (EOL)
APOGEE PXC Modular (BACnet)<V3.5.33.5.3
TALON TC Compact (BACnet)<V3.5.33.5.3
TALON TC Modular (BACnet)<V3.5.33.5.3
APOGEE PXC Modular (P2 Ethernet)≥ V2.8No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDDisable the integrated web server on affected devices where firmware updates are not available or not yet deployed
HARDENINGRestrict network access to ports 80/TCP and 443/TCP to trusted IP addresses only; implement firewall rules to block untrusted connections
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact (BACnet), APOGEE PXC Modular (BACnet), TALON TC Compact (BACnet), and TALON TC Modular (BACnet) devices to firmware version 3.5.3 or later
All products
WORKAROUNDContact Siemens support for additional guidance on products where updates are not available
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: APOGEE MBC (PPC) (P2 Ethernet), APOGEE MEC (PPC) (P2 Ethernet), APOGEE PXC Compact (P2 Ethernet), APOGEE PXC Modular (P2 Ethernet). Apply the following compensating controls:
HARDENINGIsolate affected devices on a protected network segment separated from the business network and internet-facing systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/af00b051-e7a0-4843-b900-531854ee7460