Multiple Vulnerabilities in APOGEE/TALON Field Panels
Plan Patch7.5SSA-148078Oct 12, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple unauthenticated information disclosure vulnerabilities in Siemens APOGEE PXC and TALON TC field panels allow attackers to download sensitive data through the integrated webserver. The vulnerabilities exist in both BACnet and P2 Ethernet communication modules. APOGEE PXC Compact (BACnet), APOGEE PXC Modular (BACnet), TALON TC Compact (BACnet), and TALON TC Modular (BACnet) are affected. All versions of APOGEE PXC Compact (P2 Ethernet) and APOGEE PXC Modular (P2 Ethernet) are affected with no vendor fix planned. Root causes include missing authentication checks (CWE-287) and potential path traversal issues (CWE-22) in the web interface.
What this means
What could happen
An attacker with network access to the web interface could download sensitive configuration or operational data from the field panel without logging in, potentially exposing building automation parameters, security settings, or operational schedules.
Who's at risk
Building automation system operators using Siemens APOGEE PXC or TALON TC field panels for HVAC, lighting, or environmental control. BACnet variants can be patched; P2 Ethernet variants (which have no vendor fix) remain at risk and require network isolation to prevent unauthorized data access.
How it could be exploited
An attacker on the network makes HTTP requests to the integrated webserver on port 80 (or 443) of an affected field panel. The panel's web interface allows unauthenticated file or information download due to missing authentication checks, allowing the attacker to retrieve sensitive data without valid credentials.
Prerequisites
- Network access to the field panel's HTTP/HTTPS web interface (typically port 80 or 443)
- No valid credentials required
- Field panel must be running an affected firmware version below 3.5 (for BACnet variants) or any version (for P2 Ethernet variants)
Remotely exploitableNo authentication requiredLow complexityHigh EPSS score (10.0%)No patch available for P2 Ethernet variantsSensitive data exposureDefault or missing access controls
Exploitability
Moderate exploit probability (EPSS 10.0%)
Affected products (6)
4 with fix2 EOL
ProductAffected VersionsFix Status
APOGEE PXC Compact (BACnet)< V3.53.5
APOGEE PXC Modular (BACnet)< V3.53.5
TALON TC Compact (BACnet)< V3.53.5
TALON TC Modular (BACnet)< V3.53.5
APOGEE PXC Compact (P2 Ethernet)All versionsNo fix (EOL)
APOGEE PXC Modular (P2 Ethernet)All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1APOGEE PXC Compact (P2 Ethernet)
WORKAROUNDImplement network firewall rules to restrict HTTP/HTTPS access to APOGEE PXC Compact (P2 Ethernet) and APOGEE PXC Modular (P2 Ethernet) field panels to authorized engineering workstations and management systems only
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact (BACnet) to firmware version 3.5 or later
HOTFIXUpdate APOGEE PXC Modular (BACnet) to firmware version 3.5 or later
HOTFIXUpdate TALON TC Compact (BACnet) to firmware version 3.5 or later
HOTFIXUpdate TALON TC Modular (BACnet) to firmware version 3.5 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: APOGEE PXC Compact (P2 Ethernet), APOGEE PXC Modular (P2 Ethernet). Apply the following compensating controls:
HARDENINGIsolate APOGEE PXC (P2 Ethernet) and TALON TC (P2 Ethernet) variants on a dedicated, access-controlled building automation network segment
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dcbd8d97-a193-4b07-a0f6-7d798bccce45