Siemens Desigo PXM Devices

Plan Patch8.8ICS-CERT ICSA-22-286-06Oct 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens Desigo PXM30, PXM40, PXM50, and PXG3 building automation controllers contain multiple vulnerabilities in the embedded webserver. These include command injection (CWE-78), sensitive information disclosure (CWE-200), cross-site scripting (CWE-79), cross-site request forgery (CWE-352), and improper neutralization flaws. An authenticated attacker with network access to the device's web interface could execute arbitrary commands on the controller, access sensitive configuration data, trigger denial of service conditions, or perform remote code execution. The vulnerabilities affect all versions prior to 02.20.126.11-41 (or 02.20.126.11-37 for certain models).

What this means

What could happen

An attacker with network access to a Desigo PXM device could execute arbitrary code, view sensitive configuration data, or disrupt building automation operations. This could allow manipulation of HVAC, lighting, or security systems without authorization.

Who's at risk

Organizations operating Siemens Desigo PXM building automation controllers, including facility managers, building operators, and maintenance teams at hospitals, offices, data centers, and industrial facilities that rely on these devices for HVAC, lighting, and climate control. Desigo PXM30, PXM40, and PXM50 series controllers and PXG3 gateway devices are affected.

How it could be exploited

An attacker must reach the device's web server over the network (port 80/443) and authenticate with valid credentials. Once authenticated, they can exploit multiple web application flaws including command injection to execute arbitrary code on the controller, which runs the building automation logic.

Prerequisites

Network access to the Desigo PXM device web server port (80 or 443)
Valid login credentials for the device web interface
Device running a vulnerable firmware version (below 02.20.126.11-41 for PXM, below 02.20.126.11-37 for PXG3.W100-1/W200-1)

Remotely exploitable over networkRequires valid authentication credentialsWeb application vulnerabilities (CWE-78 command injection, CWE-79 XSS, CWE-352 CSRF)High CVSS score (8.8)Affects critical building systemsMultiple vulnerability types in same device (command injection, information disclosure, denial of service)

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (10)

10 with fix

ProductAffected VersionsFix Status

Desigo PXM30-1<V02.20.126.11-4102.20.126.11-41

Desigo PXM30.E<V02.20.126.11-4102.20.126.11-41

Desigo PXM40-1<V02.20.126.11-4102.20.126.11-41

Desigo PXM40.E<V02.20.126.11-4102.20.126.11-41

Desigo PXM50-1<V02.20.126.11-4102.20.126.11-41

Desigo PXM50.E<V02.20.126.11-4102.20.126.11-41

PXG3.W100-1<V02.20.126.11-3702.20.126.11-37

PXG3.W100-2<V02.20.126.11-4102.20.126.11-41

Remediation & Mitigation

0/13

Do now

0/2

WORKAROUNDRestrict network access to Desigo PXM devices using firewall rules; do not expose the web interface to the Internet or untrusted networks

HARDENINGImplement strong authentication credentials on all Desigo PXM web interfaces and change default passwords if applicable

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGIsolate Desigo PXM devices on a dedicated building automation network segment separate from general IT networks and corporate systems

CVEs (7)

CVE-2022-40176 CVE-2022-40177 CVE-2022-40178 CVE-2022-40179 CVE-2022-40180 CVE-2022-40181 CVE-2022-40182

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close