Siemens Desigo CC Product Family and SENTRON Powermanager

Plan Patch8.2ICS-CERT ICSA-25-231-01Aug 14, 2025

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

The Desigo CC product family (versions V5.0 through V8, including Desigo CC, Desigo CC Compact, Desigo CC Connect, and Cerberus DMS) and SENTRON Powermanager (versions V5 through V8) contain a privilege escalation vulnerability in the WIBU Systems CodeMeter Runtime component. Successful exploitation could allow a local administrator to escalate privileges and execute commands with elevated permissions on affected systems. The vulnerability is not remotely exploitable.

What this means

What could happen

An attacker with local administrative access could escalate privileges on Desigo CC and SENTRON Powermanager systems, potentially gaining control to modify building automation or power management settings. This could disrupt HVAC, lighting, or electrical distribution operations.

Who's at risk

This affects utilities and facility managers running building automation (Desigo CC) and electrical power management (SENTRON Powermanager) systems. Desigo CC is used for HVAC, lighting, and fire safety automation in buildings; SENTRON Powermanager monitors and controls electrical distribution. Energy sector organizations and large facilities with these systems should prioritize assessment.

How it could be exploited

The vulnerability exists in the WIBU Systems CodeMeter Runtime component bundled with Desigo CC and SENTRON Powermanager. An attacker with local administrative credentials could exploit this privilege escalation flaw to run elevated commands on the system, allowing them to reconfigure automation logic or shut down critical functions.

Prerequisites

Local access to the system (not remotely exploitable)
High privilege account (administrative credentials required)
Desigo CC or SENTRON Powermanager running affected versions V5.0 through V8

no authentication required (privileged local user assumed)low exploit complexityaffects critical infrastructure (energy/utilities)no patch currently availablebundled third-party component vulnerability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (9)

9 pending

ProductAffected VersionsFix Status

Desigo CC family V5.0All versionsNo fix yet

Desigo CC family V5.1All versionsNo fix yet

Desigo CC family V6All versionsNo fix yet

Desigo CC family V7All versionsNo fix yet

Desigo CC family V8All versionsNo fix yet

SENTRON Powermanager V5All versionsNo fix yet

SENTRON Powermanager V6All versionsNo fix yet

SENTRON Powermanager V7All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict local administrative access to Desigo CC and SENTRON Powermanager servers to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WIBU CodeMeter Runtime to version 8.30a or later on all Desigo CC and SENTRON Powermanager systems

Long-term hardening

0/2

HARDENINGIsolate Desigo CC and SENTRON Powermanager systems from the general IT network using firewalls and network segmentation

HARDENINGDisable unnecessary remote access to these systems; use VPN with current patches only if remote access is required

CVEs (1)

CVE-2025-47809

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/87eb2454-596e-41b3-9544-bb414b27e78c