Siemens Desigo CC and Cerberus DMS

Plan PatchCVSS 9.8ICS-CERT ICSA-22-286-16Jun 21, 2022

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Desigo CC and Cerberus DMS rely on SIMATIC WinCC OA, which implements only client-side authentication for parts of their client-server communication. This allows unauthenticated attackers to impersonate users or bypass authentication checks in the protocol. An attacker with network access could perform unauthorized actions on the building automation system without valid credentials. Siemens has not released patches for any affected version of Cerberus DMS, Desigo CC, or Desigo CC Compact and recommends network isolation and mitigation controls instead.

What this means

What could happen

An unauthenticated attacker on the network could impersonate legitimate users or bypass authentication in Desigo CC and Cerberus DMS, potentially allowing unauthorized modification of building automation parameters, alarms, or operational sequences without detection.

Who's at risk

Building automation system operators using Desigo CC or Cerberus DMS should be concerned. These systems are commonly deployed in hospitals, office buildings, data centers, and industrial facilities to control HVAC, lighting, energy management, and fire safety systems. All versions of both products are affected.

How it could be exploited

An attacker with network access to the Desigo CC or Cerberus DMS client-server communication ports can craft messages that spoof authenticated user sessions due to client-side-only authentication checks. This allows the attacker to inject commands, modify setpoints, or alter operational logic in the building automation system.

Prerequisites

Network access to Desigo CC or Cerberus DMS client-server communication ports
No valid user credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects critical building infrastructure controlsDefault client-only authentication weakness

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (6)

2 pending4 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC OA V3.17All versions in non-default configurationNo fix yet

SIMATIC WinCC OA V3.18All versions in non-default configurationNo fix yet

SIMATIC WinCC OA V3.16All versions in default configurationNo fix (EOL)

Desigo CCAll versionsNo fix (EOL)

Cerberus DMSAll versionsNo fix (EOL)

Desigo CC CompactAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

Desigo CC

HARDENINGRestrict network access to Desigo CC and Cerberus DMS systems using firewalls; block unauthorized hosts from reaching the client-server communication ports

All products

HARDENINGIsolate building automation systems from corporate IT networks and the Internet using network segmentation or air-gapping

WORKAROUNDImplement server-side authentication validation in addition to client-side checks as documented in Siemens SSA-836027 (see referenced mitigation guidance)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Desigo CC

HARDENINGMonitor Desigo CC and Cerberus DMS systems for suspicious client connections and authentication bypass attempts

All products

HOTFIXRegularly review and apply Siemens security updates and patches for SIMATIC WinCC OA and related products

CVEs (1)

CVE-2022-33139

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ac6a826b-f553-4804-9398-409c9558c733

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.