Siemens Desigo

MonitorCVSS 7.5ICS-CERT ICSA-25-135-04May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Desigo CC deployments using Installed Client have an information disclosure vulnerability that allows unauthenticated access to sensitive server data via the event port (default 4998/tcp). An attacker on the network can read operational, configuration, or alarm information from the Desigo CC server without valid credentials. Siemens has not released a patch and recommends restricting access to the event port and disabling the Installed Client component in favor of Windows App Client or Flex Client. Siemens emphasizes layered network security and recommends isolating Desigo CC systems from business networks and the internet.

What this means

What could happen

An attacker with network access to the Desigo CC event port could retrieve sensitive configuration, alarm, or operational data from the HVAC/building automation server without authentication. This could expose setpoints, operational schedules, or system state information that could be used to plan further attacks or disrupt building comfort and security systems.

Who's at risk

Building automation and HVAC system operators using Siemens Desigo CC with the Installed Client component. This includes facility managers, building engineers, and technicians at commercial buildings, data centers, hospitals, and industrial facilities that rely on Desigo CC for building climate control, occupancy management, and energy optimization. Windows App Client and Flex Client deployments are not affected.

How it could be exploited

An attacker on the same network segment (or from the internet if the event port is exposed) can connect to the Desigo CC server on port 4998/tcp and read server data. The Installed Client component does not properly validate or restrict access to sensitive information, allowing unauthenticated data disclosure. No valid credentials or user interaction are required.

Prerequisites

Network access to port 4998/tcp on the Desigo CC server
Desigo CC deployment using Installed Client (Windows App Client and Flex Client are not affected)

remotely exploitableno authentication requiredlow complexityno patch available

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Desigo CCAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to port 4998/tcp on the Desigo CC server using firewall rules, allowing only authorized client workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable support for Installed Clients on the Desigo CC server and migrate to Windows App Client or Flex Client

Mitigations - no patch available

0/1

Desigo CC has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the Desigo CC server and its clients onto a separate network from business systems and the internet

CVEs (1)

CVE-2024-23815

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/912315a3-75a1-4455-bbc3-39734cd72076

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.