Siemens Desigo PXC and DXR Devices

Act Now9ICS-CERT ICSA-22-132-10May 12, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Siemens Desigo DXR2, PXC3, PXC4, and PXC5 controllers contain multiple vulnerabilities in encryption, input validation, credential handling, and authentication mechanisms. These flaws could allow an authenticated attacker on the network to intercept unencrypted sensitive data, trigger denial-of-service conditions, execute remote code on the controller, or reset the device to factory defaults, disrupting building automation operations.

What this means

What could happen

An attacker with network access and valid credentials could intercept sensitive data in transit, crash the device causing loss of building automation control, execute arbitrary commands on the controller, or force a factory reset and loss of operational configuration.

Who's at risk

Building automation operators running Siemens Desigo controllers (DXR2, PXC3, PXC4, PXC5) should prioritize these updates. These devices manage heating, cooling, lighting, and other building system setpoints. Desigo systems are common in commercial buildings, data centers, municipal facilities, and utilities. Loss of control or unauthorized command injection could disrupt HVAC, lighting, or access control operations.

How it could be exploited

An attacker on the network with login credentials could exploit weak encryption or authentication flaws to intercept management traffic, inject commands through unvalidated inputs, or trigger a denial-of-service by sending malformed requests. These vulnerabilities may allow arbitrary code execution or device reset without requiring physical access.

Prerequisites

Network access to the affected Desigo device
Valid login credentials for the device or web interface
Knowledge of device management protocols or web interface endpoints

Remotely exploitableRequires valid credentialsAffects control and configuration of building systemsMultiple vulnerability types (weak encryption, insufficient validation, insecure design)

Exploitability

Moderate exploit probability (EPSS 2.1%)

Affected products (1)

ProductAffected VersionsFix Status

Desigo DXR2: All< 01.21.142.5-2201.21.142.5-22

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to Desigo devices using firewall rules; do not expose to the Internet

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Desigo DXR2 to firmware version 01.21.142.5-22 or later

HOTFIXUpdate Desigo PXC3 to firmware version 01.21.142.4-18 or later

HOTFIXUpdate Desigo PXC4 to firmware version 02.20.142.10-10884 or later

HOTFIXUpdate Desigo PXC5 to firmware version 02.20.142.10-10884 or later

Long-term hardening

0/2

HARDENINGIsolate building automation network from corporate business network with a firewall

HARDENINGIf remote access to Desigo devices is required, use a VPN with up-to-date security patches

CVEs (8)

CVE-2022-24039 CVE-2022-24040 CVE-2022-24041 CVE-2022-24042 CVE-2022-24043 CVE-2022-24044 CVE-2022-24045 CVE-2021-41545

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8f496267-1d28-4bd4-b27c-691ac3175ce4