Siemens Desigo CC Product Family and SENTRON Powermanager

Plan PatchCVSS 8.2ICS-CERT ICSA-25-231-01Aug 14, 2025

SiemensEnergy

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Versions V5.0 through V8 of Siemens Desigo CC (all variants including Compact, Connect, Cerberus DMS) and SENTRON Powermanager contain a privilege escalation vulnerability in the bundled WIBU Systems CodeMeter Runtime component. An attacker with local administrative privileges could exploit this vulnerability to escalate further, gaining full control of the system. Siemens has not released a fixed version of these products but has provided instructions to update the underlying CodeMeter Runtime component to V8.30a, which addresses the issue.

What this means

What could happen

An attacker with administrative privileges could escalate their access on a Desigo CC or SENTRON Powermanager system, potentially allowing them to modify building automation or power management configurations, disable monitoring, or disrupt facility operations.

Who's at risk

Building facility managers and energy utilities deploying Desigo CC building automation systems or SENTRON Powermanager power management systems are affected. This includes anyone managing HVAC, lighting, power distribution, or facility control systems powered by these platforms across versions V5 through V8.

How it could be exploited

An attacker with local administrative access to the server running Desigo CC or SENTRON Powermanager can exploit a flaw in the bundled WIBU CodeMeter Runtime component to escalate privileges further, gaining unrestricted control over the system's functions.

Prerequisites

Local administrative access to the Desigo CC or SENTRON Powermanager server
System must be running affected CodeMeter Runtime version (prior to V8.30a)

High CVSS score (8.2)Privilege escalation capabilityNo patch availableRequires local administrative access

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

9 pending

ProductAffected VersionsFix Status

Desigo CC family V5.0All versionsNo fix yet

Desigo CC family V5.1All versionsNo fix yet

Desigo CC family V6All versionsNo fix yet

Desigo CC family V7All versionsNo fix yet

Desigo CC family V8All versionsNo fix yet

SENTRON Powermanager V5All versionsNo fix yet

SENTRON Powermanager V6All versionsNo fix yet

SENTRON Powermanager V7All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict local administrative access to Desigo CC and SENTRON Powermanager servers to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUninstall current CodeMeter version from Control Panel on all Desigo CC and SENTRON Powermanager servers

HOTFIXInstall CodeMeter V8.30a from WIBU Systems and restart the server

Long-term hardening

0/1

HARDENINGIsolate Desigo CC and SENTRON Powermanager servers from business network segments using firewalls and network segmentation

CVEs (1)

CVE-2025-47809

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/87eb2454-596e-41b3-9544-bb414b27e78c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.