Siemens Opcenter Intelligence

Act Now9.6ICS-CERT ICSA-25-044-14Feb 11, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Opcenter Intelligence contains multiple critical vulnerabilities in its Tableau Server component involving weak authentication (CWE-287), path traversal (CWE-22), unsafe object deserialization (CWE-502), information disclosure (CWE-532), and server-side request forgery (CWE-918). These vulnerabilities allow an attacker on the network to bypass access controls, read or write arbitrary files, execute code, and access sensitive data. The vulnerability is being actively exploited in the wild. Siemens has released version V2501 with fixes.

What this means

What could happen

An attacker with access to the Opcenter Intelligence Tableau Server component could execute arbitrary code, access sensitive data, read/write files, or disrupt operations. With multiple authentication and path traversal flaws, the device is exposed to remote attacks that could compromise both the manufacturing execution system and data confidentiality.

Who's at risk

Manufacturing facilities using Siemens Opcenter Intelligence for production planning and execution should prioritize this update. The vulnerability affects all instances running versions before V2501, including plants using Opcenter for batch scheduling, production monitoring, and resource management across discrete and process manufacturing.

How it could be exploited

An attacker on the network can exploit multiple weaknesses in the Tableau Server component: weak authentication (CWE-287) allows bypass of access controls, path traversal (CWE-22) enables reading arbitrary files, and unsafe deserialization (CWE-502) permits code execution. The attacker could send specially crafted requests to execute commands on the Opcenter Intelligence server without valid credentials.

Prerequisites

Network access to the Opcenter Intelligence Tableau Server component (typically port 8080 or web service port)
No authentication credentials required for exploitation of authentication bypass vulnerabilities
Device must be running Opcenter Intelligence version prior to V2501

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (94.4%)multiple CWEs (authentication bypass, path traversal, unsafe deserialization)affects manufacturing execution system

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Opcenter Intelligence<V25012501

Remediation & Mitigation

0/5

Do now

0/5

HOTFIXUpdate Opcenter Intelligence to V2501 or later

HOTFIXInstall the latest available version of Tableau Server as described in Siemens knowledge base PL8822108

WORKAROUNDRestrict network access to the Opcenter Intelligence device using firewalls; do not expose to the internet

HARDENINGIsolate the Opcenter Intelligence system from business networks behind a firewall

HARDENINGIf remote access is required, use a VPN and keep VPN software updated to the latest version

CVEs (5)

CVE-2022-22127 CVE-2022-22128 CVE-2023-46604 CVE-2025-26490 CVE-2025-26491

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fe908c1a-2118-4010-88d6-e0770ca4362c