Siemens TeleControl Server

Plan PatchCVSS 10ICS-CERT ICSA-24-319-10Nov 12, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

TeleControl Server Basic V3.1 contains a deserialization vulnerability (CWE-502) that allows an unauthenticated network attacker to execute arbitrary code on the device. An attacker can send a crafted serialized message to the server, which deserializes and executes untrusted data without validation. This affects all capacity variants (8, 32, 64, 256, 1000, 5000 point models) and redundant-capable versions. Siemens has released patched versions 3.1.2.1 or later.

What this means

What could happen

An unauthenticated attacker on the network could execute arbitrary code on TeleControl Server Basic devices, potentially allowing them to modify telecontrol commands, disrupt communications with remote terminal units (RTUs), or halt critical remote management operations.

Who's at risk

Water utilities and power companies using Siemens TeleControl Server Basic for remote terminal unit (RTU) management and SCADA communications. All versions of TeleControl Server Basic V3.1 below 3.1.2.1 are affected, including all capacity models (8 to 5000 point variants) and redundant configurations.

How it could be exploited

An attacker sends a specially crafted deserialized message to the TeleControl Server on the network. The server deserializes the untrusted data without validation, executing embedded malicious code. This allows remote command execution without requiring login credentials.

Prerequisites

Network access to TeleControl Server Basic on its service port (typically accessible from SCADA network or management LAN)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (10.0)

Exploitability

Some exploitation risk — EPSS score 8.7%

Affected products (13)

13 with fix

ProductAffected VersionsFix Status

TeleControl Server Basic Upgr V3.1<V3.1.2.13.1.2.1

PP TeleControl Server Basic 1000 to 5000 V3.1<V3.1.2.13.1.2.1

PP TeleControl Server Basic 256 to 1000 V3.1<V3.1.2.13.1.2.1

PP TeleControl Server Basic 32 to 64 V3.1<V3.1.2.13.1.2.1

PP TeleControl Server Basic 64 to 256 V3.1<V3.1.2.13.1.2.1

PP TeleControl Server Basic 8 to 32 V3.1<V3.1.2.13.1.2.1

TeleControl Server Basic 1000 V3.1<V3.1.2.13.1.2.1

TeleControl Server Basic 256 V3.1<V3.1.2.13.1.2.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to TeleControl Server Basic devices to trusted engineering workstations and SCADA master stations only using firewall rules

WORKAROUNDDisable redundancy features on TeleControl Server Basic if they are not actively used in your configuration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected TeleControl Server Basic devices to firmware version 3.1.2.1 or later

Long-term hardening

0/1

HARDENINGSegment TeleControl Server Basic devices onto a separate managed network with access control lists (ACLs) that limit inbound connections to known trusted sources

CVEs (1)

CVE-2024-44102

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7d26abfe-c56d-4ae5-a36e-eb4a962aab7e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.