Siemens Nucleus RTOS-based APOGEE and TALON Products (Update C)

Act Now9.8ICS-CERT ICSA-21-315-07Nov 9, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities (NUCLEUS:13) in the Nucleus RTOS used by Siemens APOGEE, TALON, and Desigo building automation controllers. These include memory corruption flaws (buffer overflows, out-of-bounds access), integer overflows, and input validation errors in DHCP, FTP, and other protocol implementations. An attacker with network access can send crafted protocol packets to trigger code execution or denial of service. Siemens has released patches for most recent product lines but has no fixes available for end-of-life APOGEE MBC/MEC (PPC) models.

What this means

What could happen

Multiple memory corruption and input validation vulnerabilities in these Siemens building automation controllers could allow an attacker on the network to execute arbitrary code or crash the device, disrupting HVAC, lighting, or other critical building systems.

Who's at risk

Building automation operators—particularly those managing HVAC, lighting, and environmental controls in facilities. Affects Siemens APOGEE and TALON controllers (MBC, MEC, PXC, and TC models) and Desigo PXC series controllers used in commercial buildings and campuses. The APOGEE MBC and MEC (PPC) models are end-of-life with no patch available, making them a persistent risk.

How it could be exploited

An attacker with network access to the device can send malformed DHCP packets, FTP commands, or other network protocol messages that trigger memory corruption bugs in the Nucleus RTOS kernel. Successful exploitation gives the attacker code execution with device privileges, allowing them to modify setpoints, disable alarms, or stop the controller entirely.

Prerequisites

Network access to the device (port 67 for DHCP, port 21 for FTP, or other affected protocol ports)
No authentication required—vulnerabilities are in protocol parsing before credential checks
Device must be running a vulnerable Nucleus RTOS version

remotely exploitableno authentication requiredlow complexityaffects critical building control systemssome products have no patch availablemultiple CVEs in same underlying component

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (23)

19 with fix4 EOL

ProductAffected VersionsFix Status

APOGEE PXC Compact (BACnet)<V3.5.43.5.4

APOGEE PXC Compact (P2 Ethernet)<V2.8.192.8.19

APOGEE PXC Modular (BACnet)<V3.5.43.5.4

APOGEE PXC Modular (P2 Ethernet)<V2.8.192.8.19

Desigo PXC00-E.D≥ V2.3 and <V6.30.0166.30.016

Remediation & Mitigation

0/9

Do now

0/4

APOGEE MBC (PPC) (BACnet)

WORKAROUNDFor APOGEE MBC and MEC (PPC) models with no available patch: disable DHCP and use static IP addressing

WORKAROUNDFor APOGEE MBC and MEC (PPC) models with no available patch: disable FTP service

All products

WORKAROUNDDisable DHCP client and configure static IP addresses on all affected devices (unless already disabled by default)

WORKAROUNDDisable FTP service on all affected devices that have it enabled (note: disabled by default on Desigo products)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

APOGEE PXC Compact (P2 Ethernet)

HOTFIXUpdate APOGEE PXC Compact and Modular (P2 Ethernet) to firmware version 2.8.19 or later; contact Siemens for support

APOGEE PXC Compact (BACnet)

HOTFIXUpdate APOGEE PXC Compact and Modular (BACnet) and TALON TC Compact and Modular (BACnet) to firmware version 3.5.4 or later; contact Siemens for support

All products

HOTFIXUpdate Desigo products to firmware version 6.30.016 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: APOGEE MBC (PPC) (BACnet), APOGEE MBC (PPC) (P2 Ethernet), APOGEE MEC (PPC) (BACnet), APOGEE MEC (PPC) (P2 Ethernet). Apply the following compensating controls:

HARDENINGPlace all affected devices behind a firewall and restrict network access to only necessary ports and authorized subnets

HARDENINGIsolate building automation network from corporate IT network using network segmentation or air-gapping

CVEs (13)

CVE-2021-31344 CVE-2021-31345 CVE-2021-31346 CVE-2021-31881 CVE-2021-31882 CVE-2021-31883 CVE-2021-31884 CVE-2021-31885 CVE-2021-31886 CVE-2021-31887 CVE-2021-31888 CVE-2021-31889 CVE-2021-31890

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/79c2c975-09d7-4534-b7ea-6b3be67b03d2