Siemens Apogee PXC100 Devices
Monitor7.5ICS-CERT ICSA-25-044-11Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens APOGEE PXC Series (BACnet and P2 Ethernet) and TALON TC Series devices contain two vulnerabilities in the BACnet implementation: (1) an out-of-bounds read that can force the device into a cold restart, causing denial of service; and (2) weak password encryption that allows decryption of stored device credentials. These flaws affect all versions and no firmware patch is currently available from Siemens. The vendor recommends network protection and following operational security guidelines as compensating controls.
What this means
What could happen
An attacker with network access to these devices can decrypt stored passwords or trigger a denial of service by forcing a cold reset, potentially disrupting building automation and HVAC control operations.
Who's at risk
Building automation and HVAC operators should prioritize this. Any facility running Siemens APOGEE PXC Series controllers (BACnet or P2 Ethernet variants) or TALON TC Series devices for climate control, ventilation, or energy management is affected. All versions are vulnerable with no vendor fix currently available.
How it could be exploited
An attacker on the network sends a malformed BACnet or P2 Ethernet command to the device, triggering an out-of-bounds memory read. This can either crash the device into a cold restart state or, combined with weak encryption, allow extraction and decryption of stored device passwords. Once passwords are obtained, the attacker could reconfigure setpoints or disable safety interlocks.
Prerequisites
- Network access to BACnet port 47808 or P2 Ethernet port on the PXC/TC device
- No authentication required to send the malformed command
- Device running any version of the affected Siemens APOGEE PXC or TALON TC product
remotely exploitableno authentication requiredlow complexityno patch availablepassword decryption possibledenial of service capability
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
APOGEE PXC Series (BACnet)All versionsNo fix (EOL)
APOGEE PXC Series (P2 Ethernet)All versionsNo fix (EOL)
TALON TC Series (BACnet)All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3APOGEE PXC Series (BACnet)
HARDENINGImplement network segmentation to restrict BACnet and P2 Ethernet access to the PXC/TC devices from only authorized engineering workstations and control systems; use firewall rules to deny external access
All products
WORKAROUNDDisable unnecessary remote access and management protocols on PXC/TC devices if not required for operations
WORKAROUNDChange all default and hardcoded passwords on affected devices immediately
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
APOGEE PXC Series (BACnet)
HARDENINGMonitor network traffic to the PXC/TC devices for suspicious BACnet or P2 Ethernet commands and configure alerts
All products
HOTFIXReview and update device firmware to the latest available version when Siemens releases a fix
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/622a6faa-2df4-496e-aae9-cf171a140dfa