Siemens BFCClient

Act Now9.8ICS-CERT ICSA-25-226-21Aug 12, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens BFCClient versions prior to 2.17 contain multiple vulnerabilities in the integrated OpenSSL component affecting buffer handling and certificate validation. These flaws allow an attacker with network access to read memory contents, alter application behavior, or trigger denial of service. The vulnerabilities span CWE-120 (buffer copy without bounds checking), CWE-125 (out-of-bounds read), CWE-835 (infinite loop), CWE-843 (access control), and CWE-295 (improper certificate validation).

What this means

What could happen

An attacker with network access to BFCClient could read sensitive data from application memory, alter critical process settings or application behavior, or crash the application and disrupt operations.

Who's at risk

Any organization running Siemens BFCClient versions prior to 2.17 should evaluate this immediately. BFCClient is used for industrial process configuration and monitoring, so utilities managing SCADA, PLC, or HMI systems via Siemens components are at risk if BFCClient is on their engineering or operational networks.

How it could be exploited

An attacker on the network sends specially crafted messages that exploit OpenSSL buffer handling or certificate validation flaws in BFCClient. The vulnerability allows memory disclosure, code execution, or denial of service without requiring authentication or user interaction.

Prerequisites

Network access to BFCClient
BFCClient version < 2.17
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)affects safety-critical configurations

Exploitability

High exploit probability (EPSS 88.5%)

Affected products (1)

ProductAffected VersionsFix Status

BFCClient< 2.172.17

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable CRL (certification revocation list) checking in BFCClient if operationally feasible

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate BFCClient to version 2.17 or later

Long-term hardening

0/3

HARDENINGRestrict network access to BFCClient using firewall rules; ensure it is not directly reachable from the internet or business network

HARDENINGSegment BFCClient systems behind firewalls on isolated industrial network

HARDENINGUse VPN for any required remote access to BFCClient systems

CVEs (5)

CVE-2021-3711 CVE-2021-3712 CVE-2022-0778 CVE-2023-0286 CVE-2023-0464

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/17cd1f7e-c02b-4880-ac63-5183f103f59d