Siemens Apogee PXC100 Devices

MonitorCVSS 7.5ICS-CERT ICSA-25-044-11Feb 11, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Apogee PXC and Talon TC devices contain two vulnerabilities: (1) an out-of-bounds memory read that allows an unauthenticated attacker on the network to force the device into a cold restart, causing denial of service; and (2) weak password encryption that allows decryption of stored administrative credentials. Both vulnerabilities affect all versions of PXC100 (BACnet and P2 Ethernet) and Talon TC (BACnet) devices. No vendor patches are planned.

What this means

What could happen

An attacker on the network could crash PXC and TC devices by forcing them to restart, disrupting HVAC/building control operations, and decrypt stored device passwords to gain administrative access.

Who's at risk

Building automation and HVAC system operators using Siemens Apogee PXC Series (BACnet or P2 Ethernet variants) or Talon TC Series (BACnet) devices. This affects any facility relying on these devices for climate control, occupancy management, or other critical building functions.

How it could be exploited

An attacker with network access to the device can send a crafted BACnet or P2 Ethernet message that triggers an out-of-bounds memory read, causing the device to enter a cold restart state. Additionally, the device stores passwords using weak or no encryption, allowing an attacker who can access device memory or intercept traffic to decrypt stored credentials and gain admin control.

Prerequisites

Network access to the PXC or TC device on ports used by BACnet (UDP 47808) or P2 Ethernet protocol
No authentication required to send the malicious packet

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety-critical building systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

APOGEE PXC Series (BACnet)All versionsNo fix (EOL)

APOGEE PXC Series (P2 Ethernet)All versionsNo fix (EOL)

TALON TC Series (BACnet)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/4

HARDENINGRestrict network access to PXC and TC devices using firewall rules to allow only trusted engineering workstations and building management systems

HARDENINGSegment PXC and TC devices onto a dedicated building automation network isolated from general IT and the internet

HARDENINGChange all default and weak administrative passwords on PXC and TC devices immediately

WORKAROUNDDisable remote management access (if supported) or restrict it to trusted engineering workstations only

CVEs (2)

CVE-2024-54089 CVE-2024-54090

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/622a6faa-2df4-496e-aae9-cf171a140dfa

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.