Siemens Teamcenter
Plan Patch7.4ICS-CERT ICSA-25-044-07Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
The SSO (Single Sign-On) login service in Siemens Teamcenter contains an open redirect vulnerability. An attacker can redirect a legitimate user from the Teamcenter login page to an attacker-controlled website, where the user's session credentials can be captured. This allows unauthorized access to Teamcenter and the ability to view or modify sensitive design and engineering data. Affected versions include Teamcenter V14.1, V14.2, V14.3 (before 14.3.0.14), V2312 (before 2312.0010), V2406 (before 2406.0008), and V2412 (before 2412.0004). Siemens has released patched versions for V14.3 and later product lines.
What this means
What could happen
An attacker could craft a malicious link that appears to come from your Teamcenter login page but redirects users to a fake login form to steal their session credentials. Once compromised, an attacker could access design files, project data, and potentially alter manufacturing or engineering information within Teamcenter.
Who's at risk
This vulnerability affects organizations that use Siemens Teamcenter for design collaboration, engineering document management, and product lifecycle management (PLM). It is particularly relevant for manufacturing companies, automotive suppliers, and engineering firms that rely on Teamcenter to manage sensitive design data and engineering specifications. If Teamcenter is used in your organization, your design and engineering teams are at risk if they access the system via email links or external communications.
How it could be exploited
An attacker sends a legitimate-looking email or message containing a crafted Teamcenter login link that redirects to an attacker-controlled website. When a user clicks the link and logs in, their session token is captured. The attacker then uses that token to access Teamcenter with the victim's privileges and can view or modify sensitive engineering and design data.
Prerequisites
- User must click on an attacker-provided link
- User must be connected to the network where Teamcenter is accessible
- No special network access or valid credentials required from the attacker
Remotely exploitableNo authentication required from attackerLow complexity attackUser interaction required (clicking a link)Affects data confidentiality and access controlOlder versions (V14.1, V14.2) have no fix available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (6)
4 with fix2 EOL
ProductAffected VersionsFix Status
Teamcenter V14.1All versionsNo fix (EOL)
Teamcenter V14.3< V14.3.0.1414.3.0.14
Teamcenter V2312< V2312.00102312.0010
Teamcenter V2406< V2406.00082406.0008
Teamcenter V2412< V2412.00042412.0004
Teamcenter V14.2All versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDEducate users not to click on links from untrusted sources, especially those claiming to be from Teamcenter login pages
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Teamcenter V14.3
HOTFIXUpdate Teamcenter V14.3 to version 14.3.0.14 or later
Teamcenter V2312
HOTFIXUpdate Teamcenter V2312 to version 2312.0010 or later
Teamcenter V2406
HOTFIXUpdate Teamcenter V2406 to version 2406.0008 or later
Teamcenter V2412
HOTFIXUpdate Teamcenter V2412 to version 2412.0004 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Teamcenter V14.1, Teamcenter V14.2. Apply the following compensating controls:
HARDENINGFor Teamcenter V14.1 and V14.2 (end-of-life versions with no patch available), prioritize migration to supported versions V14.3.0.14 or later
HARDENINGRestrict network access to Teamcenter to authenticated internal users only; do not expose the login portal to the internet without additional security controls like multi-factor authentication
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/001870e2-4029-4cc4-aa15-29803071238e