Siemens TIA Project-Server formerly known as TIA Multiuser Server
Monitor6.7ICS-CERT ICSA-23-047-07Feb 14, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
TIA Project-Server (formerly TIA Multiuser Server) contains an untrusted search path vulnerability allowing privilege escalation when a legitimate user is tricked into starting the service from an attacker-controlled directory. Siemens has released updates for V15, V17, and V1.1 of Project-Server. V14 and V16 have no patches planned; migration to V1.1 or later is recommended. The vulnerability requires local access and user interaction, with high attack complexity.
What this means
What could happen
An attacker could escalate privileges on an engineering workstation running TIA Project-Server or TIA Multiuser Server by planting malicious files in a directory where a legitimate user launches the service, potentially gaining control over the engineering environment and ability to modify automation projects.
Who's at risk
Engineering teams at utilities and manufacturers who use Siemens TIA (Totally Integrated Automation) engineering software for automation project development and management. This affects workstations running TIA Multiuser Server (V14, V15) and TIA Project-Server (V1.0, V16, V17), particularly those sharing working directories over the network or using removable media.
How it could be exploited
An attacker places a malicious file in a directory (like a shared folder or USB drive) and tricks or socially engineers a legitimate engineering user to launch TIA Project-Server or TIA Multiuser Server from that attacker-controlled path. The service loads and executes the malicious file with the privileges of the user running the service, escalating the attacker's access.
Prerequisites
- Local access to the engineering workstation or network share where TIA Project-Server/Multiuser Server is launched
- Ability to place malicious files in the working directory before service startup
- A legitimate engineering user must be tricked or convinced to start the service from an attacker-controlled directory
Requires user interaction (social engineering or physical access)Local exploitation only—not remotely exploitableHigh attack complexity—requires specific conditions and legitimate user actionNo patch available for V14 and V16Affects engineering workstations that control automation systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
TIA Multiuser Server V14All versionsNo fix (EOL)
TIA Project-Server V16All versions1.1
TIA Multiuser Server V15<V15.1 Update 815.1 Update 8
TIA Project-Server<V1.11.1
TIA Project-Server V17<V17 Update 617 Update 6
Remediation & Mitigation
0/8
Do now
0/2TIA Project-Server
WORKAROUNDEnsure the working directory used when launching TIA Project-Server or TIA Multiuser Server contains only trusted files and cannot be modified by untrusted users
HARDENINGRestrict write access to directories where TIA Project-Server or TIA Multiuser Server is launched from; use NTFS permissions to prevent unauthorized file placement
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
TIA Multiuser Server V15
HOTFIXUpdate TIA Multiuser Server V15 to V15.1 Update 8 or later
TIA Project-Server
HOTFIXUpdate TIA Project-Server to V1.1 or later
HOTFIXUpdate TIA Project-Server V17 to V17 Update 6 or later
Long-term hardening
0/2TIA Multiuser Server V14
HOTFIXMigrate TIA Multiuser Server V14 and V15 to TIA Project-Server V1.1 or later
TIA Project-Server V16
HOTFIXMigrate TIA Project-Server V16 to TIA Project-Server V1.1 or later
Mitigations - no patch available
0/1TIA Multiuser Server V14 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate engineering workstations running TIA tools from general network access and limit access to trusted personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4989b9bd-5867-4f59-a62c-6e690af398ba