Siemens Polarion

Monitor6.5ICS-CERT ICSA-25-135-11May 13, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens Polarion contains multiple vulnerabilities (CWE-89 SQL injection, CWE-611 XML external entities, CWE-79 cross-site scripting, CWE-204 observable discrepancy) that allow authenticated attackers to extract confidential data, conduct cross-site scripting attacks, or enumerate valid usernames. The vulnerabilities affect Polarion V2310 (all versions), V2404 versions before V2404.4, and earlier releases. V2410 and later versions remediate these issues.

What this means

What could happen

An authenticated attacker could extract sensitive engineering and process documentation from Polarion, potentially revealing control system configurations and safety-critical parameters. Additionally, cross-site scripting attacks could be used to steal credentials from engineers accessing the system, leading to unauthorized access to engineering workstations or connected control networks.

Who's at risk

Organizations running Siemens Polarion as a document management and lifecycle management system should be concerned. While Polarion is primarily a software platform rather than direct OT control equipment, it is frequently used in engineering environments for managing industrial process designs, configurations, and safety documentation. Attackers with valid credentials could extract sensitive engineering data (process configurations, safety interlocks, design specifications) or conduct phishing attacks against engineering staff through cross-site scripting. The data extraction risk is particularly relevant to water utilities and electric utilities where process documentation contains critical control parameters.

How it could be exploited

An attacker with valid engineering credentials (obtained through phishing, credential theft, or legitimate access) logs into Polarion and exploits SQL injection (CWE-89) or XML external entity (CWE-611) vulnerabilities to extract data such as process configurations, design documents, or employee information. Alternatively, the attacker can inject malicious JavaScript (CWE-79) into documents or comments that executes when other engineers open them, stealing their session cookies or credentials to escalate access or pivot to engineering workstations.

Prerequisites

- Valid Polarion user credentials (engineering account or higher privilege) - Network access to Polarion web interface (typically internal network, but possible over VPN or exposed internet-facing deployments) - User interaction for XSS exploitation (engineer must view the malicious content)

Remotely exploitable over networkAuthentication required (reduces but does not eliminate risk)Low complexity exploitationAffects engineering/IT documentation systems used in OT environmentsNo fix available for V2310Data extraction and credential theft capabilities

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

2 with fix1 EOL

ProductAffected VersionsFix Status

Polarion V2404< V2404.42404.4

Polarion V2404< V2404.22404.2

Polarion V2310All versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict network access to Polarion web interface using firewall rules; allow only from approved engineering networks or VPN

HARDENINGEnforce strong password policies and multi-factor authentication for all Polarion user accounts, especially engineering and administrative accounts

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Polarion V2404

HOTFIXUpdate Polarion V2404 to V2404.4 or later to fix CVE-2024-51444, CVE-2024-51445, CVE-2024-51446

HOTFIXUpdate Polarion V2404 to V2404.2 or later to fix CVE-2024-51447

Polarion V2310

HOTFIXUpgrade Polarion V2310 to V2410 or later; no patches available for V2310

All products

HARDENINGReview and audit user access permissions in Polarion; remove unnecessary credentials and follow principle of least privilege

Mitigations - no patch available

0/1

Polarion V2310 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Polarion from the internet; ensure it is only accessible over internal network or VPN with encryption

CVEs (4)

CVE-2024-51444 CVE-2024-51445 CVE-2024-51446 CVE-2024-51447

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/082a6301-5a41-4b63-b21e-154194b53666