Siemens SIMATIC IPC DiagBase and SIMATIC IPC DiagMonitor

MonitorCVSS 7ICS-CERT ICSA-25-044-12Feb 11, 2025

Siemens

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

SIMATIC IPC DiagBase and DiagMonitor contain a weak registry permission vulnerability (CWE-732) that allows an authenticated local attacker to escalate privileges and bypass security measures. The vulnerability affects all versions of both products. Siemens has stated no fix will be released. Siemens recommends protecting network access with appropriate mechanisms and operating devices in a protected IT environment following Siemens operational security guidelines.

What this means

What could happen

An attacker with local access to an IPC running DiagBase or DiagMonitor could exploit weak registry permissions to escalate privileges and potentially disable security features or modify system configuration, affecting the availability and integrity of the IPC.

Who's at risk

Water utilities, electric utilities, and other industrial facilities using Siemens SIMATIC IPCs (industrial panel PCs) with DiagBase or DiagMonitor for system diagnostics and monitoring. This affects any IPC used for real-time process control or SCADA integration where privilege escalation could compromise system integrity.

How it could be exploited

An attacker who already has local user-level access to the IPC (or an unprivileged account) can directly modify Windows registry permissions or settings to escalate to higher privileges, then alter process monitoring, security policies, or system behavior. The vulnerability is local-only; remote exploitation is not possible.

Prerequisites

Local user account on the IPC running DiagBase or DiagMonitor
Low privileges (standard user, not administrator)
Physical or remote desktop access to the IPC console

Requires local access (not remotely exploitable)Authenticated attacker neededHigh complexity exploitation (requires registry knowledge)No patch available (vendor will not fix)Affects diagnostic and monitoring infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIMATIC IPC DiagBaseAll versionsNo fix (EOL)

SIMATIC IPC DiagMonitorAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict local login accounts to the IPC—disable or remove unnecessary user accounts and enforce strong password policies

WORKAROUNDImplement access control lists (ACLs) on the Windows registry to restrict write permissions on sensitive registry keys that DiagBase and DiagMonitor use

HARDENINGDisable remote desktop protocol (RDP) access to the IPC if not required for operations, or restrict RDP to authorized IP addresses only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate IPC systems on a protected OT network segment with firewall rules that allow only authorized engineering workstations to access them

CVEs (1)

CVE-2025-23403

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b3ee4b1f-0915-4610-be55-4b09f31bf96d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.