Siemens Desigo CC Product Family and SENTRON Powermanager
Act NowCVSS 8.8ICS-CERT ICSA-26-043-04Feb 10, 2026
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Versions V6 through V8 QU1 of Desigo CC (Desigo CC, Desigo CC Compact, Desigo CC Connect, Cerberus DMS) and SENTRON Powermanager contain a buffer overflow vulnerability in the bundled WIBU Systems CodeMeter Runtime component. Successful exploitation could lead to code execution in the context of the running process, potentially allowing an attacker to execute arbitrary commands and alter building automation or energy management operations. Siemens has released patches for V8 systems and provided instructions to update the CodeMeter Runtime component separately.
What this means
What could happen
An attacker could execute arbitrary code on Desigo CC and SENTRON Powermanager systems, potentially allowing them to alter building automation controls, disable energy management, or manipulate power distribution operations.
Who's at risk
Facilities managers and energy professionals running Siemens Desigo CC building automation systems or SENTRON Powermanager energy management systems across V6, V7, and V8 versions. This affects building HVAC control, lighting management, energy monitoring, and power distribution management in commercial buildings and industrial facilities.
How it could be exploited
An attacker with network access to the Desigo CC or SENTRON Powermanager interface could exploit a buffer overflow in the bundled CodeMeter Runtime component by sending a specially crafted request. The attacker does not need credentials, only the ability to reach the web interface.
Prerequisites
- Network access to the Desigo CC or SENTRON Powermanager web interface (typically port 80 or 443)
- No valid credentials required
- User interaction required to trigger the vulnerability through a crafted message or interaction
Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (26.3%)No patch available for V6 and V7 versionsAffects critical building and energy management
Exploitability
Likely to be exploited — EPSS score 26.3%
Public Proof-of-Concept (PoC) on GitHub (9 repositories)
Affected products (6)
2 with fix4 EOL
ProductAffected VersionsFix Status
Desigo CC family V8<V8.0 QU28.0 QU2
SENTRON Powermanager V8<V8.0 QU28.0 QU2
Desigo CC family V6All versionsNo fix (EOL)
Desigo CC family V7All versionsNo fix (EOL)
SENTRON Powermanager V6All versionsNo fix (EOL)
SENTRON Powermanager V7All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2SENTRON Powermanager V6
WORKAROUNDFor SENTRON Powermanager V6 and V7 systems where patches are not available, restrict network access to the web interface to only authorized management networks
All products
WORKAROUNDFor Desigo CC V6 and V7 systems where patches are not available, restrict network access to the Desigo CC web interface to only authorized administrative workstations using firewall rules
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Desigo CC family V8
HOTFIXUpdate Desigo CC family V8 systems to version 8.0 QU2 or later
SENTRON Powermanager V8
HOTFIXUpdate SENTRON Powermanager V8 systems to version 8.0 QU2 or later
All products
HOTFIXApply the CodeMeter Runtime patch as documented in the Siemens advisory Additional Information section
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Desigo CC family V6, Desigo CC family V7, SENTRON Powermanager V6, SENTRON Powermanager V7. Apply the following compensating controls:
HARDENINGSegment Desigo CC and SENTRON Powermanager systems onto a separate administrative network with restricted access from general corporate networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/42a90dfb-ee05-4ae2-94f9-77b7ef44b349Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.