OTPulse

Siemens Opcenter Quality

Plan PatchCVSS 7.1ICS-CERT ICSA-25-226-06Aug 12, 2025
Siemens
Attack path
Attack VectorAdjacent
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

Siemens Opcenter Quality SmartClient modules (versions 13.2 through before 2506) contain multiple authorization, encryption, and information disclosure vulnerabilities in SmartClient Opcenter QL Home (SC), SOA Audit, and SOA Cockpit components. CVE-2024-41979 involves improper authorization and unencrypted SOAP services. CVE-2024-41980 involves weak LDAP encryption. CVE-2024-41982 allows unauthorized access to sensitive fields. CVE-2024-41983 involves database information disclosure and IIS hardening gaps. CVE-2024-41984 involves directory traversal and file access control bypass. CVE-2024-41986 involves deprecated protocol support.

What this means
What could happen
An attacker with access to the Opcenter Quality network or valid user credentials could exploit authorization flaws, unencrypted data transmission, or information disclosure vulnerabilities to alter quality data, access sensitive production information, or disrupt quality assurance operations.
Who's at risk
Organizations operating Siemens Opcenter Quality SmartClient modules for quality management and reporting, including manufacturers in pharmaceuticals, chemicals, food and beverage, and other process industries that use Opcenter QL Home (SC), SOA Audit, or SOA Cockpit for quality data collection, auditing, and analysis.
How it could be exploited
An attacker with network access to SmartClient or valid LDAP credentials could exploit weak authorization controls to bypass access restrictions, leverage unencrypted SOAP services to intercept or modify quality data, or use directory traversal and information disclosure flaws to enumerate system configuration and extract sensitive process parameters.
Prerequisites
  • Network access to SmartClient modules or LDAP interface
  • Valid user credentials (for LDAP-related CVEs)
  • Access to internal network where Opcenter Quality is deployed
  • Ability to communicate with SOAP services if exposed outside SmartClient
Affects quality assurance systems in regulated industriesAuthorization bypass vulnerabilities presentUnencrypted data transmission possibleInformation disclosure allows reconnaissanceLow exploit complexityWeak default or legacy protocol supportMultiple vulnerabilities in same product suite
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
SmartClient modules Opcenter QL Home (SC)≥ 13.2, < 25062506
SOA Audit≥ 13.2, < 25062506
SOA Cockpit≥ 13.2, < 25062506
Remediation & Mitigation
0/7
Do now
0/5
HARDENINGEnable SSL/TLS 1.2 or higher on LDAP interface and disable legacy SSL v2/v3 and TLS 1.0/1.1
HARDENINGRestrict network access to SmartClient and LDAP interface to authorized internal networks only using firewall rules
HARDENINGRemove or disable SOAP service exposure outside of the SmartClient application
HARDENINGApply least privilege principle to all user accounts in LDAP and limit permissions to access sensitive quality data fields
HARDENINGHarden IIS configuration: disable directory browsing, hide IIS version header, restrict file extension access to required types only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected products to version 2506 or later
Long-term hardening
0/1
HARDENINGCreate dedicated reporting accounts with access via database views/synonyms instead of direct table access to restrict information exposure
View full CISA ICS-CERT advisory
API: /api/v1/advisories/8e9b92a0-ee4a-4a62-99ef-9806062befe2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens Opcenter Quality | CVSS 7.1 - OTPulse