Siemens Desigo CC Family

Act Now10ICS-CERT ICSA-21-257-17Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Desigo CC, Desigo CC Compact, and Cerberus DMS contain an unsafe deserialization vulnerability in the CCOM communication component hosted in IIS. An unauthenticated attacker can send a malicious serialized object that causes remote code execution. Only systems using the Windows App or IE XBAP Web Client are vulnerable; regular installed clients and HTML5 Flex Clients are not affected. The vulnerability is particularly critical for systems accessible from the Internet. Siemens has released patches for v4.2 and v5.0; earlier versions (v3.x and below) will not receive patches and should be upgraded. For systems that cannot be patched immediately, disabling the Web Application/Web Client or blocking the CCOM port can reduce exposure.

What this means

What could happen

An unauthenticated attacker could run arbitrary code on your Desigo CC or Cerberus DMS facility management system, potentially allowing them to modify building automation setpoints, disable HVAC/lighting controls, or disrupt facility operations.

Who's at risk

Building automation and facility management operators running Siemens Desigo CC or Cerberus DMS systems, particularly those using Windows App or IE XBAP web clients. This affects any facility manager or utilities company using these systems for HVAC, lighting, or access control. Systems directly connected to the Internet face the highest risk.

How it could be exploited

An attacker sends a malicious serialized object to the CCOM communication component hosted in IIS on your Desigo CC server. The component deserializes the object without validation, allowing code execution. If your system is Internet-facing or accessible from an untrusted network, this can be done remotely without any credentials.

Prerequisites

Network access to the CCOM port on your IIS server
Windows App or IE XBAP Web Client must be enabled (regular installed clients and HTML5 Flex Clients are not affected)
System is reachable from the attacker's network (Internet for directly exposed systems, or local network if behind firewall)

remotely exploitableno authentication requiredlow complexitycritical CVSS score (10.0)affects building control systems that manage physical operationsvulnerability is actively being weaponized in the wild with high specificity indicators

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (12)

6 with fix3 pending3 EOL

ProductAffected VersionsFix Status

Cerberus DMS V4.1All versionsNo fix yet

Cerberus DMS V4.2All versions4.2 QU1 and Apply Patch 1417967

Cerberus DMS V5.0<v5.0 QU15.0 QU1

Desigo CC Compact V4.1All versionsNo fix yet

Desigo CC Compact V4.2All versions4.2 QU1 and Apply Patch 1417967

Desigo CC Compact V5.0<V5.0 QU15.0 QU1

Desigo CC V4.1All versionsNo fix yet

Desigo CC V4.2All versions4.2 QU1 and Apply Patch 1417967

Remediation & Mitigation

0/16

Do now

0/3

WORKAROUNDDisable the Web Application and Web Client (Windows App and IE XBAP) from the SMC if not needed; this eliminates the exploitation path but breaks those client types

HARDENINGBlock CCOM port (inbound and outbound) at the firewall to restrict Desigo CC to local network only, preventing Internet-based attacks

HARDENINGEnsure Desigo CC/Cerberus DMS is not directly exposed to the Internet; place it behind a firewall and restrict access to the local network or trusted networks only

Schedule — requires maintenance window

0/12

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

Desigo CC V5.0

HOTFIXFor systems on v3.x or older with no patch available, upgrade to Desigo CC v5.0 QU1 or later

CVEs (1)

CVE-2021-37181

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close