Multiple Vulnerabilities in Opcenter Quality Before V2506

Plan Patch7.1SSA-382999Aug 12, 2025

Attack VectorAdjacent

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Opcenter Quality v13.2 through v2505 contains multiple vulnerabilities in SmartClient modules: Opcenter QL Home (SC), SOA Audit, and SOA Cockpit. The vulnerabilities involve improper access control (CWE-863), missing encryption of sensitive data (CWE-311), information exposure (CWE-209), insufficient session expiration (CWE-613), and use of broken cryptography (CWE-327). These issues affect authentication, data protection, and information disclosure in quality management operations.

What this means

What could happen

An attacker with local network access and low-level user credentials could access sensitive quality data without proper authorization, decrypt stored information, or manipulate quality control records, potentially affecting product batch approvals and traceability in manufacturing operations.

Who's at risk

Manufacturing and pharmaceutical companies running Siemens Opcenter Quality for batch testing, product quality assurance, and regulatory compliance. Affects SmartClient operators and quality engineers who use QL Home, SOA Audit, and SOA Cockpit modules to manage quality records and approve production batches.

How it could be exploited

An attacker on the plant network with valid user credentials authenticates to a SmartClient module. Due to insufficient access controls and weak cryptography, the attacker can bypass authorization checks to access quality data they should not have access to, view or modify batch records, or extract sensitive manufacturing information from the application.

Prerequisites

Network access to Opcenter Quality SmartClient modules (local network or VPN)
Valid user account credentials for Opcenter Quality
Access to a system where SmartClient is installed or used

Low attack complexity (high complexity vector, but weak mitigations)Requires valid user credentialsAffects data confidentiality and integrity in quality systemsCWE-863 (improper access control) is a foundational ICS security issue

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SmartClient modules Opcenter QL Home (SC)≥ 13.2, < 25062506

SOA Audit≥ 13.2, < 25062506

SOA Cockpit≥ 13.2, < 25062506

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Opcenter Quality to version V2506 or later

CVEs (7)

CVE-2024-41979 CVE-2024-41980 CVE-2024-41982 CVE-2024-41983 CVE-2024-41984 CVE-2024-41985 CVE-2024-41986

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/77c98764-43d5-4517-a367-4449e3735f93