Siemens BFCClient

Act NowCVSS 9.8ICS-CERT ICSA-25-226-21Aug 12, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens BFCClient versions prior to 2.17 contain multiple vulnerabilities in the integrated OpenSSL component, including buffer overflows (CWE-120, CWE-125), infinite loops (CWE-835), type confusion (CWE-843), and improper certificate validation (CWE-295). These vulnerabilities allow remote attackers to read memory contents, alter application behavior, or trigger denial of service conditions without authentication.

What this means

What could happen

An attacker with network access to BFCClient could read sensitive data from memory, alter application behavior, or cause denial of service, potentially disrupting building facility automation operations.

Who's at risk

Building facility automation operators and IT staff managing Siemens BFCClient deployments. This affects any organization using BFCClient for building management functions such as HVAC, lighting, or access control integration.

How it could be exploited

An attacker on the network can send crafted requests to BFCClient's OpenSSL component without authentication. The vulnerabilities allow reading memory contents, modifying application logic, or crashing the service through buffer overflows and infinite loops.

Prerequisites

Network access to BFCClient service port
No authentication required
BFCClient version earlier than 2.17

remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)affects building control systemsmemory corruption vulnerabilities

Exploitability

Likely to be exploited — EPSS score 88.4%

Public Proof-of-Concept (PoC) on GitHub (7 repositories)

Affected products (1)

ProductAffected VersionsFix Status

BFCClient< 2.172.17

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable CRL (Certificate Revocation List) checking in BFCClient configuration if CRL-based validation is not operationally required

HARDENINGRestrict network access to BFCClient to only authorized engineering workstations and control systems using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate BFCClient to version 2.17 or later

Long-term hardening

0/1

HARDENINGIsolate BFCClient and building automation systems from business networks using network segmentation

CVEs (5)

CVE-2023-0286 CVE-2021-3711 CVE-2021-3712 CVE-2022-0778 CVE-2023-0464

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/17cd1f7e-c02b-4880-ac63-5183f103f59d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.