Siemens SIMATIC PCS neo, TIA Administrator, and TIA Portal

Plan PatchCVSS 8.8ICS-CERT ICSA-25-044-13Feb 11, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Affected Siemens products do not properly invalidate user sessions when a user logs out. This means an attacker who has obtained a valid session token through other means (phishing, network capture, credential theft) can re-use that token to access the system after the legitimate user has logged out. An attacker with a valid session token gains the same permissions as the original user, allowing them to access engineering workstations, modify control system projects, alter process setpoints, or reconfigure safety systems. The vulnerability requires the attacker to first obtain the session token but does not require any valid credentials or authentication once the token is possessed.

What this means

What could happen

An attacker with access to a captured session token could impersonate a logged-out user and regain access to engineering workstations, allowing them to modify control logic, process parameters, or project configurations. This affects all engineering and administrative tasks performed through TIA Portal and SIMATIC PCS neo.

Who's at risk

Engineering teams and system administrators who use Siemens TIA Portal, SIMATIC PCS neo, or TIA Administrator for control system design, commissioning, and maintenance on manufacturing plants, water treatment facilities, power generation sites, and other industrial operations. This especially affects organizations where multiple engineers share workstations or where remote engineering access is common.

How it could be exploited

An attacker must first obtain a valid session token from a legitimate user (through phishing, network sniffing, or other means). After the user logs out, the attacker can replay this token to re-authenticate without credentials, gaining full access to the user's session and any connected industrial systems they can control from that workstation.

Prerequisites

Session token obtained by attacker (via phishing, credential compromise, or network interception)
Access to the engineering workstation or TIA Portal/SIMATIC PCS neo interface from the network
The legitimate user must have logged out but the session token has not been properly invalidated

Remotely exploitable over networkRequires prior session token capture (weak prerequisite)High CVSS 8.8 scoreAffects engineering/safety applicationsSession token reuse after logout

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (7)

6 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC PCS neo V4.1<V4.1 Update 24.1 Update 2

SIMATIC PCS neo V5.0<V5.0 Update 15.0 Update 1

SIMOCODE ES V19<V19 Update 119 Update 1

SIRIUS Safety ES V19 (TIA Portal)<V19 Update 119 Update 1

SIRIUS Soft Starter ES V19 (TIA Portal)<V19 Update 119 Update 1

TIA Administrator<V3.0.43.0.4

SIMATIC PCS neo V4.0All versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/2

SIRIUS Safety ES V19 (TIA Portal)

HARDENINGRestrict network access to TIA Portal and engineering workstations to trusted internal networks only; block access from the internet and untrusted networks at the firewall

All products

WORKAROUNDInstruct users to fully close the browser and client application after logout and manually delete all locally stored session tokens and cached data

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

SIMATIC PCS neo V4.1

HOTFIXUpdate SIMATIC PCS neo V4.1 to V4.1 Update 2 or later

SIMATIC PCS neo V5.0

HOTFIXUpdate SIMATIC PCS neo V5.0 to V5.0 Update 1 or later

SIMOCODE ES V19

HOTFIXUpdate SIMOCODE ES V19 to V19 Update 1 or later

SIRIUS Safety ES V19 (TIA Portal)

HOTFIXUpdate SIRIUS Safety ES V19 (TIA Portal) to V19 Update 1 or later

HOTFIXUpdate SIRIUS Soft Starter ES V19 (TIA Portal) to V19 Update 1 or later

TIA Administrator

HOTFIXUpdate TIA Administrator to V3.0.4 or later

CVEs (1)

CVE-2024-45386

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cc603eb3-16c8-4eb5-a28b-471bbeb8e9ac

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.