Siemens APOGEE/TALON Field Panels

Act NowCVSS 7.5ICS-CERT ICSA-22-349-10Dec 15, 2022

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A session handling vulnerability in multiple Siemens industrial control and building automation products allows an attacker with network access to hijack existing user sessions or spoof new sessions. Affected products include APOGEE PXC field panels (P2 Ethernet and BACnet variants), TALON TC Series panels, Calibre ICE, Mcenter, SCALANCE X-200RNA switches, SICAM GridPass, and SIMATIC RTLS Locating Manager. Successful exploitation could allow unauthorized access to these systems without valid credentials. The vulnerability affects authentication and session management across multiple product families used in energy sector infrastructure.

What this means

What could happen

An attacker could hijack active user sessions or create fraudulent sessions to these building management and network infrastructure devices, potentially gaining unauthorized access to critical HVAC, lighting, and power distribution controls.

Who's at risk

Energy sector utilities operating Siemens APOGEE/TALON building automation field panels, SCALANCE network switches for critical infrastructure, Calibre ICE power system planning software, and SICAM GridPass grid monitoring systems. This affects HVAC/mechanical systems, building security, distribution automation, and transmission system monitoring functions.

How it could be exploited

An attacker with network access to the affected devices could exploit a session handling vulnerability to spoof or intercept authentication credentials, allowing them to assume the identity of a legitimate user without needing the original password.

Prerequisites

Network access to the device (local network or Internet-exposed)
No authentication credentials required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackHigh exploit probability (83.2%)Affects building management and grid infrastructureSome products have no vendor fix available

Exploitability

Likely to be exploited — EPSS score 83.5%

Public Proof-of-Concept (PoC) on GitHub (9 repositories)

Affected products (5)

2 with fix3 EOL

ProductAffected VersionsFix Status

Mcenter≥ V5.2.1.0No fix (EOL)

Calibre ICE≥ V2022.4<V2023.12023.1

SICAM GridPass≥ V1.80<V2.202.20

SCALANCE X-200RNA switch family≥ V3.2.7No fix (EOL)

SIMATIC RTLS Locating Manager (6GT2780-0DA00)≥ V2.13No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict network access to these devices using firewall rules; block direct Internet access and limit to authorized engineering workstations or management networks only

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Calibre ICE

HOTFIXUpdate Calibre ICE to V2023.1 or later

SICAM GridPass

HOTFIXUpdate SICAM GridPass to V2.20 or later

All products

HOTFIXUpdate APOGEE PXC Series (P2 Ethernet) to V2.8.20 or later

HOTFIXUpdate APOGEE PXC Series (BACnet) to V3.5.5 or later

HOTFIXUpdate TALON TC Series (BACnet) to V3.5.5 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Mcenter, SCALANCE X-200RNA switch family, SIMATIC RTLS Locating Manager (6GT2780-0DA00). Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate building management and power system devices from business networks and the Internet

HARDENINGIf remote access is required, enforce use of VPN and keep VPN software and connected devices fully patched

CVEs (2)

CVE-2022-3602 CVE-2022-3786

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/867a97b6-b190-454b-ab58-2c1c3088a5f6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.