Siemens Opcenter Intelligence

Act NowCVSS 9.6ICS-CERT ICSA-25-044-14Feb 11, 2025

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Opcenter Intelligence versions prior to 2501 contain multiple vulnerabilities in the embedded Tableau Server component, including authentication bypass (CWE-287), path traversal (CWE-22), unsafe deserialization (CWE-502), and information disclosure (CWE-532). These vulnerabilities allow unauthenticated remote code execution and sensitive data access with low attack complexity. The vulnerability is actively being exploited in the wild.

What this means

What could happen

An attacker with network access to Opcenter Intelligence could bypass authentication, read sensitive files, and execute arbitrary code on the system, potentially allowing them to modify production plans, disrupt operations, or exfiltrate data from your manufacturing execution system.

Who's at risk

Manufacturing operations teams and IT staff managing Opcenter Intelligence for production planning and scheduling. Specifically affects facilities using Siemens Opcenter as their Manufacturing Execution System (MES) or integrated planning tool, particularly those versions prior to 2501.

How it could be exploited

An attacker reaching the Tableau Server component embedded in Opcenter Intelligence (typically accessible via the internal network or across the IT/OT boundary) can exploit authentication weaknesses and file traversal vulnerabilities to gain unauthenticated code execution. No user interaction is required.

Prerequisites

Network access to Opcenter Intelligence Tableau Server component (port and protocols depend on deployment)
No authentication required
Low complexity attack (leverages known vulnerability patterns)

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (94.4%)affects industrial operations (MES/planning system)

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

Opcenter Intelligence<V25012501

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXUpdate Opcenter Intelligence to version 2501 or later

HOTFIXInstall the latest available version of Tableau Server as specified in Siemens knowledge base PL8822108

WORKAROUNDRestrict network access to Opcenter Intelligence using firewall rules to allow only authorized engineering and planning workstations

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate Opcenter Intelligence and its Tableau Server component from internet-accessible networks and untrusted business networks

HARDENINGIf remote access to Opcenter Intelligence is required, enforce VPN tunneling from approved remote access solutions and apply multi-factor authentication

CVEs (5)

CVE-2022-22127 CVE-2022-22128 CVE-2023-46604 CVE-2025-26490 CVE-2025-26491

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fe908c1a-2118-4010-88d6-e0770ca4362c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.