Siemens Desigo CC product family

Act Now9.1ICS-CERT ICSA-23-320-03Nov 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Desigo CC product family (V5.0, V5.1, V6, and V7) and SENTRON powermanager (>=V4.0) contain multiple remote code execution and denial of service vulnerabilities in the third-party WIBU Systems CodeMeter Runtime component. Successful exploitation could allow attackers to execute arbitrary code on the Desigo CC server or cause service disruption. All Desigo CC versions V5.0 through V6 are affected by all vulnerabilities; V7 is affected only by CVE-2023-3935. Siemens has released a patch to update the CodeMeter Runtime component.

What this means

What could happen

An attacker could remotely execute arbitrary commands on your Desigo CC building automation server, potentially altering HVAC setpoints, lighting schedules, or access controls, or they could crash the server causing loss of facility management visibility and control. These systems often control critical building infrastructure including emergency systems.

Who's at risk

Energy sector operators, municipal utilities, and facility managers running Siemens Desigo CC (building automation, energy management) or SENTRON powermanager (power distribution monitoring). This affects sites that depend on centralized facility control for HVAC, lighting, power distribution, or emergency systems.

How it could be exploited

An attacker on the network can send a specially crafted request to the Desigo CC server that exploits a flaw in the CodeMeter Runtime licensing component. This does not require authentication or user interaction. The vulnerability is in a third-party library that runs with server privileges, allowing remote code execution or process termination.

Prerequisites

Network access to the Desigo CC server on its listening port(s)
No authentication required
Desigo CC V5.0, V5.1, V6, or V7 running in scope

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)affects building automation and energy management systems

Exploitability

Moderate exploit probability (EPSS 8.2%)

Affected products (5)

1 pending4 EOL

ProductAffected VersionsFix Status

Desigo CC family V5.0All versionsNo fix (EOL)

Desigo CC family V5.1All versionsNo fix (EOL)

Desigo CC family V6All versionsNo fix (EOL)

SENTRON powermanager≥ V4.0No fix (EOL)

Desigo CC family V7All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

SENTRON powermanager

HOTFIXApply Siemens patch to update the CodeMeter Runtime component on all affected Desigo CC and SENTRON powermanager systems

All products

WORKAROUNDRestrict network access to Desigo CC servers using firewall rules, network segmentation, or access control lists; allow only authorized management workstations and necessary building automation devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Desigo CC server logs for suspicious network activity or unexpected process behavior; establish alerting for CodeMeter Runtime anomalies

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Desigo CC family V5.0, Desigo CC family V5.1, Desigo CC family V6, SENTRON powermanager. Apply the following compensating controls:

HARDENINGReview and implement Siemens operational security guidelines for industrial environments; ensure Desigo CC systems are deployed in protected IT network segments per product manuals

CVEs (3)

CVE-2021-20093 CVE-2021-20094 CVE-2023-3935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/90b937c4-3c4c-409c-a909-69b27aef273e