Siemens Polarion

MonitorCVSS 6.5ICS-CERT ICSA-25-135-11May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens Polarion contains multiple vulnerabilities: SQL injection (CWE-89), XML external entity injection (CWE-611), cross-site scripting (CWE-79), and username enumeration (CWE-204). These allow authenticated attackers to extract data, inject malicious content, or discover valid usernames. Polarion V2404 is vulnerable before patch releases 2404.2 and 2404.4. Polarion V2310 has no planned fix. Siemens recommends updating to V2410 or applying available patch releases.

What this means

What could happen

An attacker with valid Polarion credentials could extract sensitive data, discover valid usernames, or inject malicious code into the web interface that other users see. This could expose project and configuration information stored in Polarion.

Who's at risk

Organizations using Siemens Polarion for project management and collaboration. Polarion V2404 (before patch releases) and V2310 (all versions) are affected. This applies to engineering teams, project managers, and automation groups using Polarion as a centralized development and tracking system.

How it could be exploited

An attacker with valid Polarion login credentials exploits SQL injection, XML external entity, or cross-site scripting flaws to extract data, conduct user enumeration, or inject malicious scripts. The vulnerabilities are in the web interface accessible over the network.

Prerequisites

Valid Polarion user credentials
Network access to Polarion web interface
Polarion V2404 before patch release or V2310 (all versions)

remotely exploitablerequires valid credentialsno patch available for V2310data extraction possibleusername enumeration possible

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (3)

2 with fix1 EOL

ProductAffected VersionsFix Status

Polarion V2404< V2404.42404.4

Polarion V2404< V2404.22404.2

Polarion V2310All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to Polarion web interface using firewall rules, allowing only trusted internal networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Polarion V2404

HOTFIXUpdate Polarion V2404 to version 2404.4 or later to fix CVE-2024-51444, CVE-2024-51445, CVE-2024-51446

HOTFIXUpdate Polarion V2404 to version 2404.2 or later to fix CVE-2024-51447

All products

HOTFIXUpdate Polarion to V2410 or later version for comprehensive vulnerability remediation

Mitigations - no patch available

0/1

Polarion V2310 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGDeploy Polarion behind a VPN if remote access is required, using a properly maintained and updated VPN gateway

CVEs (4)

CVE-2024-51444 CVE-2024-51445 CVE-2024-51446 CVE-2024-51447

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/082a6301-5a41-4b63-b21e-154194b53666

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.