Privilege Management Vulnerability and Multiple Nucleus RTOS Vulnerabilities in APOGEE/TALON Field Panels before V3.5.5/V2.8.20

Plan Patch8.8SSA-180579Dec 13, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

APOGEE PXC and TALON TC field panels running Nucleus RTOS contain multiple vulnerabilities: CVE-2022-45937: A privilege management flaw allows low-privilege authenticated users to escalate to administrative privileges and execute arbitrary commands on the device. An attacker with valid technician credentials could modify building automation logic, alter temperature setpoints, disable equipment interlocks, or stop critical HVAC/process operations. CVE-2020-28388 and DNS implementation flaws in Nucleus RTOS: Predictable TCP Initial Sequence Numbers and weak DNS handling could allow network-based attackers to hijack established connections to the field panel or perform DNS spoofing attacks, redirecting the device to malicious servers. Affected firmware versions: - BACnet-based APOGEE PXC Compact, Modular, TALON TC Compact, and TALON TC Modular: versions before V3.5.5 - P2 Ethernet-based APOGEE PXC Compact and Modular: versions before V2.8.20 Siemens has released corrected firmware for all affected products.

What this means

What could happen

An authenticated attacker with low-level access to an APOGEE or TALON field panel could escalate to administrative privileges and run arbitrary commands, potentially altering building automation logic, HVAC setpoints, or process controls. Additionally, predictable TCP sequence numbers in the Nucleus RTOS could allow network-based session hijacking.

Who's at risk

Building automation and HVAC system operators using Siemens APOGEE PXC or TALON TC field panels (compact or modular models with BACnet or P2 Ethernet connectivity) should prioritize patching. These devices directly control temperature setpoints, damper positions, and equipment startup/shutdown logic in commercial buildings and campus facilities.

How it could be exploited

An attacker with valid user credentials (e.g., a technician account) connects to the field panel's management interface, exploits the privilege escalation vulnerability to gain administrative rights, and issues commands to change control logic or disable safety interlocks. Alternatively, an attacker on the network could exploit the predictable TCP sequence numbers to hijack an existing connection to the device.

Prerequisites

Valid user credentials (low-privilege account) to authenticate to the field panel
Network access to the field panel's management port (BACnet or P2 Ethernet protocol)
For TCP hijacking: proximity to the network path between the field panel and the management station to intercept and predict TCP sequence numbers

remotely exploitablelow complexityrequires valid credentialsaffects building automation and process controlpredictable TCP sequence numbers enable session hijacking

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

APOGEE PXC Compact (BACnet)< V3.5.53.5.5

APOGEE PXC Compact (P2 Ethernet)< V2.8.202.8.20

APOGEE PXC Modular (BACnet)< V3.5.53.5.5

APOGEE PXC Modular (P2 Ethernet)< V2.8.202.8.20

TALON TC Compact (BACnet)< V3.5.53.5.5

TALON TC Modular (BACnet)< V3.5.53.5.5

Remediation & Mitigation

0/7

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

APOGEE PXC Compact (BACnet)

HOTFIXUpdate APOGEE PXC Compact (BACnet) to firmware version 3.5.5 or later

HOTFIXUpdate APOGEE PXC Modular (BACnet) to firmware version 3.5.5 or later

HOTFIXUpdate TALON TC Compact (BACnet) to firmware version 3.5.5 or later

HOTFIXUpdate TALON TC Modular (BACnet) to firmware version 3.5.5 or later

APOGEE PXC Compact (P2 Ethernet)

HOTFIXUpdate APOGEE PXC Compact (P2 Ethernet) to firmware version 2.8.20 or later

HOTFIXUpdate APOGEE PXC Modular (P2 Ethernet) to firmware version 2.8.20 or later

Long-term hardening

0/1

HARDENINGRestrict network access to field panel management interfaces to trusted engineering workstations and limit user account privileges to the minimum required

CVEs (8)

CVE-2020-15795 CVE-2020-27009 CVE-2020-27736 CVE-2020-27737 CVE-2020-27738 CVE-2020-28388 CVE-2021-25677 CVE-2022-45937

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/69e1316f-5e46-42ac-9847-9ec3d6920e3b