OTPulse
FeedAboutContact

Privilege Escalation Vulnerability in WIBU CodeMeter Runtime Affecting the Desigo CC Product Family and SENTRON Powermanager

Plan Patch8.2SSA-201595Aug 14, 2025
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

A privilege escalation vulnerability exists in WIBU Systems CodeMeter Runtime used by Desigo CC (versions 5.0 through 8.0) and SENTRON Powermanager (versions 5 through 8). The vulnerability affects all versions through v7, and v8.x versions before QU2. Successful exploitation requires local access and high-level privileges on the affected system and could allow an attacker to escalate to higher privilege levels, potentially gaining control over building automation and power management functionality.

What this means
What could happen
An attacker with local administrative access to a Desigo CC or SENTRON Powermanager system could escalate their privileges, potentially gaining control over building automation and power management functions that affect facility operations.
Who's at risk
Building automation system administrators and power distribution managers using Siemens Desigo CC (v5.0–v7, and v8.x before QU2) or SENTRON Powermanager (v5–v7, and v8.x before QU2) should care about this vulnerability. Affected devices are building management systems and power monitoring/control platforms commonly deployed in commercial facilities, hospitals, data centers, and industrial plants.
How it could be exploited
An attacker with high-level privileges on the Desigo CC or SENTRON Powermanager host (such as a system administrator) could exploit the CodeMeter Runtime vulnerability to escalate to higher privilege levels. This could allow them to manipulate building automation settings, alter power distribution controls, or disrupt facility operations.
Prerequisites
  • Local access to the Desigo CC or SENTRON Powermanager system
  • High-privilege account (administrator-level credentials or equivalent)
  • CodeMeter Runtime component installed and running
Requires local access and high privilegesAffects building automation and power management systemsOlder Desigo CC and SENTRON Powermanager versions have no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (9)
2 with fix7 EOL
ProductAffected VersionsFix Status
Desigo CC family V5.0All versionsNo fix (EOL)
Desigo CC family V5.1All versionsNo fix (EOL)
Desigo CC family V6All versionsNo fix (EOL)
Desigo CC family V8All versions < V8.0 QU28.0 QU2
SENTRON Powermanager V8All versions < V8.0 QU28.0 QU2
Desigo CC family V7All versionsNo fix (EOL)
SENTRON Powermanager V5All versionsNo fix (EOL)
SENTRON Powermanager V6All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict local system access to Desigo CC and SENTRON Powermanager servers to authorized personnel only
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Desigo CC to version 8.0 QU2 or later
HOTFIXUpdate SENTRON Powermanager to version 8.0 QU2 or later
HOTFIXUpdate CodeMeter Runtime component as documented in Siemens guidance
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f6854501-16b7-4fb8-8c84-90c249555a6e
Privilege Escalation Vulnerability in WIBU CodeMeter Runtime Affecting the Desigo CC Product Family and SENTRON Powermanager | CVSS 8.2 - OTPulse