Insufficient Session Expiration Vulnerability in Siemens Products
Plan Patch8.8SSA-342348Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Affected Siemens engineering software products do not properly invalidate user sessions upon logout. An attacker who obtains a session token by other means can reuse that token to access the software and perform actions as the legitimate user, even after that user has logged out. This could allow unauthorized modification of control logic, process parameters, or system configurations.
What this means
What could happen
An attacker with a stolen session token can access the engineering software as a legitimate user even after that user has logged out, potentially allowing unauthorized changes to critical process control logic or system configurations.
Who's at risk
Any organization using Siemens engineering software for industrial automation and process control, including water authorities, electric utilities, and manufacturing plants. This affects anyone who uses SIMATIC PCS neo, SIMOCODE ES, SIRIUS Safety ES, SIRIUS Soft Starter ES, or TIA Administrator for designing and managing control logic on PLCs, soft starters, and motor controllers.
How it could be exploited
An attacker obtains a valid session token from a user (through network sniffing, malware, or insider action), then uses that token to make requests to the affected software after the legitimate user has logged out. The software fails to invalidate the session, allowing the attacker to perform any action the original user had permission to do.
Prerequisites
- Session token obtained by attacker through network access or other means (e.g., compromised engineering workstation, network sniffing)
- Network connectivity to the affected software interface
- Legitimate user must have already logged out but attacker still has valid session token
Remotely exploitable over networkNo authentication required (attacker uses stolen session token)Low complexity attackAffects engineering/control system configurationSIMATIC PCS neo V4.0 has no patch available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (7)
6 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS neo V4.1All versions < V4.1 Update 24.1 Update 2
SIMATIC PCS neo V5.0All versions < V5.0 Update 15.0 Update 1
SIMOCODE ES V19All versions < V19 Update 119 Update 1
SIRIUS Safety ES V19 (TIA Portal)All versions < V19 Update 119 Update 1
SIRIUS Soft Starter ES V19 (TIA Portal)All versions < V19 Update 119 Update 1
TIA Administrator< V3.0.43.0.4
SIMATIC PCS neo V4.0All versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/2SIMATIC PCS neo V4.0
HARDENINGFor SIMATIC PCS neo V4.0 (no patch available), restrict network access to engineering workstations to trusted networks only and implement strong access controls and session timeout policies at the firewall or network level
All products
HARDENINGEnforce manual session timeout and re-authentication on engineering workstations running any affected software
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
TIA Administrator
HOTFIXUpdate TIA Administrator to version 3.0.4 or later
All products
HOTFIXUpdate SIMATIC PCS neo to version 4.1 Update 2 or later
HOTFIXUpdate SIMATIC PCS neo to version 5.0 Update 1 or later
HOTFIXUpdate SIMOCODE ES to version 19 Update 1 or later
HOTFIXUpdate SIRIUS Safety ES to version 19 Update 1 or later
HOTFIXUpdate SIRIUS Soft Starter ES to version 19 Update 1 or later
Mitigations - no patch available
0/1SIMATIC PCS neo V4.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor and audit access to engineering software interfaces for suspicious activity after user logout events
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0b74899d-8033-4362-89bb-7324785b035f