Deserialization Vulnerability in CCOM Communication Component of Desigo CC Family
Act Now10SSA-453715Sep 14, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Desigo CC, Desigo CC Compact, and Cerberus DMS versions up to V5.0 contain a deserialization vulnerability in the CCOM communication component hosted in IIS. An unauthenticated attacker with network access can send a malicious serialized object that is deserialized without validation, leading to remote code execution. Only systems using Windows App or IE XBAP Web Client are affected; HTML5 Flex Clients are not vulnerable. The risk is particularly high for systems exposed directly to the Internet; systems on internal networks require local network access for exploitation.
What this means
What could happen
An unauthenticated attacker with network access to a Desigo CC or Cerberus DMS system could execute arbitrary code on the building automation server, potentially disrupting HVAC, lighting, and other critical facility systems or gaining access to building operational data.
Who's at risk
Building automation system administrators responsible for Desigo CC or Cerberus DMS deployments, particularly those managing HVAC, lighting, and other facility control systems in commercial buildings, municipal facilities, hospitals, and industrial sites. All versions V4.0–V5.0 are affected; V4.0 and V4.1 have no patch available.
How it could be exploited
An attacker sends a malicious serialized object to the CCOM communication component hosted in IIS on the Desigo CC server. The server deserializes the object without validation, allowing the attacker to instantiate arbitrary classes and execute code with system privileges. Systems exposed directly to the Internet are at highest risk; internal systems require network access first.
Prerequisites
- Network access to the Desigo CC or Cerberus DMS CCOM IIS service (typically port 80/443)
- System must be using Windows App or IE XBAP Web Client (HTML5 clients are not affected)
- No credentials required
remotely exploitableno authentication requiredlow complexitydefault configuration vulnerablecritical CVSS 10affects building/facility automation systemsno patch available for V4.0 and V4.1 versions
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (12)
6 with fix6 EOL
ProductAffected VersionsFix Status
Cerberus DMS V4.2All versions4.2 QU1 and Apply Patch 1417967
Cerberus DMS V5.0< v5.0 QU15.0 QU1
Desigo CC Compact V4.2All versions4.2 QU1 and Apply Patch 1417967
Desigo CC Compact V5.0< V5.0 QU15.0 QU1
Desigo CC V4.2All versions4.2 QU1 and Apply Patch 1417967
Desigo CC V5.0< V5.0 QU15.0 QU1
Cerberus DMS V4.0All versionsNo fix (EOL)
Cerberus DMS V4.1All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to the CCOM IIS service using firewall rules; do not expose Desigo CC directly to the Internet without VPN or network segmentation
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate Desigo CC or Cerberus DMS to the latest version: V5.0 QU1 or later for V5.0 systems, or V4.2 QU1 for V4.2 systems
HOTFIXFor V4.2 systems, apply Patch 1417967 after updating to V4.2 QU1
HOTFIXFor other versions, apply Patch 1520637 or 1417968 as specified by Siemens support
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Cerberus DMS V4.0, Cerberus DMS V4.1, Desigo CC Compact V4.0, Desigo CC V4.0, Desigo CC V4.1, Desigo CC Compact V4.1. Apply the following compensating controls:
HARDENINGIf Windows App or IE XBAP clients are not required, disable or remove them and migrate to the HTML5 Flex Client which is not affected by this vulnerability
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c532db35-8a5c-4551-95d4-72765a7126cf