Siemens COMOS
Plan PatchCVSS 9.3ICS-CERT ICSA-25-317-15Nov 13, 2024
Siemens
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
COMOS and Siveillance Video contain two vulnerabilities (CWE-184: Incomplete List of Disallowed Inputs and CWE-319: Cleartext Transmission of Sensitive Information) that could allow arbitrary code execution or data infiltration. An attacker with local access could exploit insecure data handling to run code with elevated privileges or exfiltrate sensitive engineering configurations. Siveillance Video 2022 R1–R3 and 2023 R1–R3, and COMOS versions prior to 10.4.5 are affected.
What this means
What could happen
An attacker with local access to a COMOS or Siveillance Video system could execute arbitrary code or extract sensitive engineering data, potentially altering process control logic or exposing critical plant configurations.
Who's at risk
This affects organizations using Siemens COMOS for process control engineering design and Siemens Siveillance Video for video monitoring in industrial plants. Specifically: engineering and design teams who use COMOS workstations, and facilities relying on Siveillance Video for physical security monitoring and surveillance in critical infrastructure including water utilities, electric generation, and manufacturing facilities.
How it could be exploited
An attacker with local system access (or via an already-compromised engineering workstation running COMOS) could exploit insecure data handling or weak credential storage to execute arbitrary code with system privileges. This could allow modification of process control parameters or exfiltration of plant engineering data.
Prerequisites
- Local or interactive access to the affected COMOS or Siveillance Video system
- Ability to run code or access local system files on the affected machine
remotely exploitable via compromised local systemno authentication required for local exploitationlow complexityaffects engineering and control system datahigh CVSS (9.3)
Exploitability
Unlikely to be exploited — EPSS score 0.9%
Affected products (7)
7 with fix
ProductAffected VersionsFix Status
Siveillance Video 2022 R1All versions < V22.1 HotfixRev1622.1 HotfixRev16
Siveillance Video 2022 R2All versions < V22.2 HotfixRev1622.2 HotfixRev16
Siveillance Video 2022 R3All versions < V22.3 HotfixRev1522.3 HotfixRev15
Siveillance Video 2023 R1All versions < V23.1 HotfixRev1423.1 HotfixRev14
Siveillance Video 2023 R2All versions < V23.2 HotfixRev1323.2 HotfixRev13
Siveillance Video 2023 R3All versions < V23.3 HotfixRev1123.3 HotfixRev11
COMOS< 10.4.510.4.5
Remediation & Mitigation
0/9
Do now
0/1COMOS
WORKAROUNDRestrict network access to COMOS and Siveillance Video systems using firewall rules; ensure these systems are not directly accessible from the internet or untrusted networks
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
COMOS
HOTFIXUpdate COMOS to version 10.4.5 or later
Siveillance Video 2022 R1
HOTFIXUpdate Siveillance Video 2022 R1 to version 22.1 HotfixRev16 or later
Siveillance Video 2022 R2
HOTFIXUpdate Siveillance Video 2022 R2 to version 22.2 HotfixRev16 or later
Siveillance Video 2022 R3
HOTFIXUpdate Siveillance Video 2022 R3 to version 22.3 HotfixRev15 or later
Siveillance Video 2023 R1
HOTFIXUpdate Siveillance Video 2023 R1 to version 23.1 HotfixRev14 or later
Siveillance Video 2023 R2
HOTFIXUpdate Siveillance Video 2023 R2 to version 23.2 HotfixRev13 or later
Siveillance Video 2023 R3
HOTFIXUpdate Siveillance Video 2023 R3 to version 23.3 HotfixRev11 or later
Long-term hardening
0/1COMOS
HARDENINGEnsure COMOS and Siveillance Video systems are isolated from business networks and located behind firewalls to minimize exposure
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e370c6db-dd54-486f-8034-00af82d597ddGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.