Siemens Desigo CC Product Family and SENTRON Powermanager
Act Now8.8ICS-CERT ICSA-26-043-04Feb 10, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Versions V6.0 through V8 QU1 of Desigo CC product family (including Desigo CC, Desigo CC Compact, Desigo CC Connect, Cerberus DMS) and SENTRON Powermanager are affected by a vulnerability in the third-party component WIBU Systems CodeMeter Runtime. Successful exploitation could lead to code execution in the context of the current process.
What this means
What could happen
An attacker could execute arbitrary code on Desigo CC and SENTRON Powermanager systems, potentially allowing control over building automation, HVAC systems, and electrical power management operations at your facility.
Who's at risk
Building automation managers and facility operators using Siemens Desigo CC systems for HVAC, lighting, and environmental control, as well as electrical utility operators using SENTRON Powermanager for power distribution and monitoring. Affects all versions V6.0 through V8 QU1 of both product families.
How it could be exploited
An attacker with network access to a Desigo CC or SENTRON Powermanager system could exploit the WIBU CodeMeter Runtime vulnerability to execute arbitrary code on the affected system. The attack vector is network-based with low complexity and no authentication required.
Prerequisites
- Network access to the affected Desigo CC or SENTRON Powermanager system
- System running vulnerable version of CodeMeter Runtime (V6.0 through V8 QU1)
- User interaction may be required (indicated by CVSS User Interaction flag)
remotely exploitableno authentication requiredlow complexityhigh EPSS score (26.8%)affects building automation and power management systemsno patch available for V6 and V7 versions
Exploitability
High exploit probability (EPSS 26.8%)
Affected products (6)
2 with fix4 EOL
ProductAffected VersionsFix Status
Desigo CC family V8<V8.0 QU28.0 QU2
SENTRON Powermanager V8<V8.0 QU28.0 QU2
Desigo CC family V6All versionsNo fix (EOL)
Desigo CC family V7All versionsNo fix (EOL)
SENTRON Powermanager V6All versionsNo fix (EOL)
SENTRON Powermanager V7All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SENTRON Powermanager V8
HOTFIXUpgrade SENTRON Powermanager V8 systems to version 8.0 QU2 or later
All products
HOTFIXUpgrade Desigo CC V8 systems to version 8.0 QU2 or later
HOTFIXApply CodeMeter Runtime patch as documented in Siemens advisory section 'Additional Information' for V6 and V7 systems
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Desigo CC family V6, Desigo CC family V7, SENTRON Powermanager V6, SENTRON Powermanager V7. Apply the following compensating controls:
HARDENINGSegment Desigo CC and SENTRON Powermanager systems on isolated networks or behind firewalls to restrict network access to authorized personnel and systems only
HARDENINGMonitor Desigo CC and SENTRON Powermanager systems for unauthorized access attempts and code execution indicators
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/42a90dfb-ee05-4ae2-94f9-77b7ef44b349