Multiple Webserver Vulnerabilities in Desigo PXM Devices

Plan Patch8.8SSA-360783Oct 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Desigo PXM and PXG3 devices contain multiple webserver vulnerabilities that could allow an attacker with login credentials to access sensitive information, execute arbitrary commands, cause denial of service, or perform remote code execution. The vulnerabilities are in the webserver application and affect devices running firmware versions prior to V02.20.126.11-41 (PXM and PXG3.W*-2 models) or V02.20.126.11-37 (PXG3.W*-1 models).

What this means

What could happen

An attacker with valid login credentials could run arbitrary commands on a Desigo PXM device, potentially altering HVAC setpoints, disabling controls, exfiltrating building management data, or causing system outages affecting climate control and building operations.

Who's at risk

Building management and HVAC system operators using Siemens Desigo PXM30, PXM40, or PXM50 devices, or PXG3 gateway devices in commercial buildings. These are commonly deployed in facilities management for temperature and environmental control. Affected equipment includes all Desigo PXM series controllers and associated gateway modules used in building automation systems.

How it could be exploited

An attacker with valid credentials could access the webserver interface of a Desigo PXM device reachable from the network, then exploit command injection or other web vulnerabilities to execute arbitrary code or commands on the device, compromising the building management system.

Prerequisites

Valid login credentials for the Desigo PXM webserver interface
Network access to the webserver port on the affected device
Device must be running a vulnerable firmware version (pre-V02.20.126.11-41 for PXM and PXG3.W*-2, pre-V02.20.126.11-37 for PXG3.W*-1)

Requires valid credentials to exploitRemotely exploitable over networkLow to moderate complexity exploitationHigh CVSS score (8.8)Affects building management and control systemsMultiple vulnerability types (command injection, XSS, CSRF)

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (10)

10 with fix

ProductAffected VersionsFix Status

Desigo PXM30-1< V02.20.126.11-4102.20.126.11-41

Desigo PXM30.E< V02.20.126.11-4102.20.126.11-41

Desigo PXM40-1< V02.20.126.11-4102.20.126.11-41

Desigo PXM40.E< V02.20.126.11-4102.20.126.11-41

Desigo PXM50-1< V02.20.126.11-4102.20.126.11-41

Desigo PXM50.E< V02.20.126.11-4102.20.126.11-41

PXG3.W100-1< V02.20.126.11-3702.20.126.11-37

PXG3.W100-2< V02.20.126.11-4102.20.126.11-41

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to the Desigo PXM webserver interface to authorized personnel and engineering workstations only using firewall rules

HARDENINGEnforce strong, unique passwords for all Desigo PXM webserver accounts and disable or remove default accounts

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Desigo PXM30-1

HOTFIXUpdate Desigo PXM30-1, PXM30.E, PXM40-1, PXM40.E, PXM50-1, and PXM50.E devices to firmware version V02.20.126.11-41 or later

PXG3.W100-1

HOTFIXUpdate PXG3.W100-1 and PXG3.W200-1 devices to firmware version V02.20.126.11-37 or later

PXG3.W100-2

HOTFIXUpdate PXG3.W100-2 and PXG3.W200-2 devices to firmware version V02.20.126.11-41 or later

Long-term hardening

0/1

HARDENINGSegment the building management network from the main IT network and prevent external access to Desigo PXM devices

CVEs (7)

CVE-2022-40176 CVE-2022-40177 CVE-2022-40178 CVE-2022-40179 CVE-2022-40180 CVE-2022-40181 CVE-2022-40182

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cba7e204-0803-402d-9b7f-632b9183d6b4