Siemens Apogee PXC and Talon TC Devices

Monitor5.3ICS-CERT ICSA-25-254-05Sep 9, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Apogee PXC and Talon TC controllers contain a vulnerability allowing unauthorized download of the device encrypted database file via BACnet or P2 Ethernet network interfaces. The vulnerability requires only network access with no authentication. An attacker could obtain sensitive device configuration, programming logic, and operational parameters in an encrypted file, which may be subject to offline cryptographic attacks or enable further reconnaissance. Siemens is preparing fix versions but has not yet released them. Until patches are available, Siemens recommends restricting network access to the devices using firewalls and implementing protected IT environments per their operational guidelines.

What this means

What could happen

An attacker could download the encrypted database file from PXC and TC control devices, potentially exposing configuration, programming, and operational parameters. While the file is encrypted, possession of it could enable offline attacks or credential extraction if encryption is weak.

Who's at risk

Building automation and HVAC operators using Siemens Apogee PXC Series controllers (all versions) and Talon TC Series controllers (all versions) should be concerned. These devices are commonly deployed in large commercial buildings, hospitals, universities, and industrial facilities where they control critical environmental and process systems. All currently deployed versions are vulnerable.

How it could be exploited

An attacker with network access to the device (via BACnet or P2 Ethernet) can initiate a file download request to extract the device database. The attack requires no authentication or user interaction, allowing direct exploitation from a remote network position.

Prerequisites

Network access to the device on BACnet or P2 Ethernet port
Device connected to a network accessible from attacker's position
No additional credentials or authentication required

remotely exploitableno authentication requiredlow complexityno patch availableall versions affected

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

APOGEE PXC Series (BACnet)All versionsNo fix (EOL)

TALON TC Series (BACnet)All versionsNo fix (EOL)

APOGEE PXC Series (P2 Ethernet)All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to PXC and TC devices using firewall rules, allowing only authorized engineering workstations and supervisory systems to communicate with the devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unauthorized database download requests or unusual file access patterns on PXC and TC devices

HOTFIXApply vendor security updates when available. Siemens is preparing fix versions—subscribe to Siemens security advisories for availability

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: APOGEE PXC Series (BACnet), TALON TC Series (BACnet), APOGEE PXC Series (P2 Ethernet). Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate PXC and TC devices on a separate VLAN or logical network from untrusted networks and IT systems

HARDENINGDisable BACnet or P2 Ethernet ports on devices that do not require remote access; use only local programming interfaces where possible

CVEs (1)

CVE-2025-40757

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d3ce82da-4bd8-4a10-aa4f-dab048a945a2