Siemens SIMATIC PCS neo, TIA Administrator, and TIA Portal
Plan Patch8.8ICS-CERT ICSA-25-044-13Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Siemens SIMATIC PCS neo, TIA Administrator, SIMOCODE ES, and SIRIUS engineering tools fail to properly invalidate user sessions upon logout. An attacker who obtains a valid session token can reuse it to maintain authenticated access to the engineering environment even after the legitimate user logs out. This affects PCS neo V4.0 (all versions, no fix planned), V4.1 (before Update 2), and V5.0 (before Update 1); SIMOCODE ES V19 (before Update 1); SIRIUS Safety ES and Soft Starter ES V19 (both before Update 1); and TIA Administrator (before v3.0.4). Siemens recommends updating to patched versions and implementing network segmentation. For V4.0 with no patch available, users should enforce complete browser and application closure after logout.
What this means
What could happen
An attacker with a stolen session token could impersonate a legitimate user and maintain access to SIMATIC PCS neo, TIA Administrator, or SIRIUS engineering tools even after that user logs out, allowing unauthorized commands or configuration changes to control systems.
Who's at risk
This affects Siemens engineering and administration tools used by control system operators and engineers: SIMATIC PCS neo (process control), TIA Administrator (credentials and user management), SIMOCODE ES (soft starters), and SIRIUS Safety and Soft Starter engineering suites. Any organization using Siemens PCS or TIA Portal environments for PLC/automation configuration and operations is at risk.
How it could be exploited
An attacker obtains a valid session token through phishing, network sniffing, or another method. The attacker then uses this token to send authenticated requests to the affected engineering workstation or server after the legitimate user has logged out. Because the application fails to invalidate sessions on logout, the stolen token remains valid and grants full access to the engineering environment.
Prerequisites
- Session token obtained through phishing, eavesdropping, or similar means
- Network access to the affected product (SIMATIC PCS neo, TIA Administrator, or SIRIUS tools)
- Knowledge that the legitimate user has logged out (token reuse window)
Remotely exploitable over networkNo user interaction required (except initial token compromise)Low attack complexitySession hijacking / token reuseAffects engineering/administrative access to critical control systemsSIMATIC PCS neo V4.0 has no patch available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (7)
6 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS neo V4.1<V4.1 Update 24.1 Update 2
SIMATIC PCS neo V5.0<V5.0 Update 15.0 Update 1
SIMOCODE ES V19<V19 Update 119 Update 1
SIRIUS Safety ES V19 (TIA Portal)<V19 Update 119 Update 1
SIRIUS Soft Starter ES V19 (TIA Portal)<V19 Update 119 Update 1
TIA Administrator<V3.0.43.0.4
SIMATIC PCS neo V4.0All versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDInstruct users to close the browser and client application completely after logout and manually remove any locally stored session tokens or cache files
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC PCS neo V4.1
HOTFIXUpdate SIMATIC PCS neo V4.1 to version 4.1 Update 2 or later
SIMATIC PCS neo V5.0
HOTFIXUpdate SIMATIC PCS neo V5.0 to version 5.0 Update 1 or later
SIMOCODE ES V19
HOTFIXUpdate SIMOCODE ES V19 to version 19 Update 1 or later
SIRIUS Safety ES V19 (TIA Portal)
HOTFIXUpdate SIRIUS Safety ES V19 (TIA Portal) to version 19 Update 1 or later
HOTFIXUpdate SIRIUS Soft Starter ES V19 (TIA Portal) to version 19 Update 1 or later
TIA Administrator
HOTFIXUpdate TIA Administrator to version 3.0.4 or later
Mitigations - no patch available
0/2SIMATIC PCS neo V4.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict network access to engineering workstations and administrative tools using firewall rules; do not expose TIA Portal, PCS neo, or TIA Administrator to untrusted networks
HARDENINGSegment engineering workstations from business networks and the internet using air-gapping or dedicated VLANs
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cc603eb3-16c8-4eb5-a28b-471bbeb8e9ac