Siemens Teamcenter

Plan Patch7.2ICS-CERT ICSA-21-257-08Sep 14, 2021

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Siemens Teamcenter is affected by three vulnerabilities: incorrect privilege assignment (CWE-267), Insecure Direct Object Reference / IDOR (CWE-639), and XML External Entity Injection / XXE (CWE-611). These vulnerabilities can allow an authenticated attacker with high privileges to bypass access controls and access restricted data, or allow any user to execute arbitrary code by opening a crafted malicious file. Affected versions are Teamcenter 12.4 (before 12.4.0.8), 13.0 (before 13.0.0.7), 13.1 (before 13.1.0.5), and 13.2 (before 13.2.0.2). Siemens has released patched versions for all affected product lines.

What this means

What could happen

An attacker with high privileges could bypass access controls, access data they should not see, or execute malicious code via untrusted files, potentially compromising product design data and engineering workflows.

Who's at risk

Product lifecycle and engineering design teams at manufacturers of industrial equipment and control systems rely on Teamcenter for CAD data, drawings, and design collaboration. Anyone running Siemens Teamcenter versions 12.4 through 13.2 (before the specified patch versions) should prioritize updates, especially if Teamcenter is accessible from engineering networks or contains sensitive product designs for safety-critical equipment.

How it could be exploited

An attacker with administrative or high-level credentials on the Teamcenter system could exploit incorrect privilege assignment and IDOR vulnerabilities to access restricted objects or data. Alternatively, an attacker could craft malicious XML files and trick an authorized user into opening them in Teamcenter, triggering XXE injection to read local files or execute commands on the host system.

Prerequisites

Network access to Teamcenter application server or web interface
High-level user credentials (administrator or engineering role) for privilege escalation exploits
For XXE: ability to deliver a malicious file to a Teamcenter user and convince them to open it

Remotely exploitable over networkHigh privilege requirement reduces immediate risk but insider threat is relevantXXE injection can lead to local file read and code executionAffects sensitive product design and engineering dataLow public exploit availability but advisory is published and details are available

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Teamcenter V12.4<V12.4.0.812.4.0.8

Teamcenter V13.0<V13.0.0.713.0.0.7

Teamcenter V13.1<V13.1.0.513.1.0.5

Teamcenter V13.2<13.2.0.213.2.0.2

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDDo not open untrusted or unexpected files in Teamcenter; use email filters and user awareness training to prevent users from opening malicious attachments

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Teamcenter 12.4 to version 12.4.0.8 or later

HOTFIXUpdate Teamcenter 13.0 to version 13.0.0.7 or later

HOTFIXUpdate Teamcenter 13.1 to version 13.1.0.5 or later

HOTFIXUpdate Teamcenter 13.2 to version 13.2.0.2 or later

Long-term hardening

0/2

HARDENINGRestrict local access to the Teamcenter application host to authorized personnel only; use OS-level access controls and physical security

HARDENINGIsolate Teamcenter network segments from the business network using firewalls; restrict inbound access to authorized engineering workstations only

CVEs (3)

CVE-2021-40354 CVE-2021-40355 CVE-2021-40356

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6e79e76f-1c35-4e7d-9d85-d1df2e1185d2