Heap Based Buffer Overflow Vulnerability in WIBU CodeMeter Runtime Affecting the Desigo CC Product Family and SENTRON Powermanager
Act Now8.8SSA-507364Feb 10, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A heap buffer overflow vulnerability exists in WIBU Systems CodeMeter Runtime, a third-party component used by Desigo CC (V6–V8 QU1) and SENTRON Powermanager (V6–V8 QU1). Successful exploitation could lead to arbitrary code execution in the context of the affected application process. The vulnerability is triggered when a user opens a malicious file or link. Siemens has released CodeMeter Runtime updates and recommends applying the update on affected systems.
What this means
What could happen
An attacker who can trick a user into opening a malicious file or visiting a link could run arbitrary code on a Desigo CC building management system or SENTRON Powermanager energy management system, potentially compromising automated controls over HVAC, lighting, power distribution, or other critical building/facility infrastructure.
Who's at risk
Building automation and energy management operators using Siemens Desigo CC (any variant including Compact, Connect, or Cerberus DMS) or SENTRON Powermanager software should be concerned. These systems control HVAC, lighting, power, and other critical building operations. The vulnerability affects all V6 and V7 versions, and V8 versions before V8.0 QU2.
How it could be exploited
An attacker crafts a malicious file or link that, when opened or clicked by an operator or engineer using the affected software, triggers the heap buffer overflow in the CodeMeter Runtime component. This results in code execution in the context of the application process, allowing the attacker to execute arbitrary commands with the privileges of the user running Desigo CC or SENTRON Powermanager.
Prerequisites
- User interaction required: operator or engineer must open malicious file or click malicious link
- Access to network containing the affected building management or energy management system
- Affected Desigo CC or SENTRON Powermanager system running vulnerable versions
Remotely exploitable via malicious file or linkRequires user interactionNo authentication required to trigger vulnerabilityHigh EPSS score (26.8%)No patch available for V6 and V7 versionsCould allow code execution on critical building control systems
Exploitability
High exploit probability (EPSS 26.8%)
Affected products (6)
2 with fix4 EOL
ProductAffected VersionsFix Status
Desigo CC family V6All versionsNo fix (EOL)
Desigo CC family V7All versionsNo fix (EOL)
Desigo CC family V8All versions < V8.0 QU28.0 QU2
SENTRON Powermanager V8All versions < V8.0 QU28.0 QU2
SENTRON Powermanager V6All versionsNo fix (EOL)
SENTRON Powermanager V7All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate Desigo CC to version V8.0 QU2 or later
HOTFIXUpdate SENTRON Powermanager to version V8.0 QU2 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Desigo CC family V6, Desigo CC family V7, SENTRON Powermanager V6, SENTRON Powermanager V7. Apply the following compensating controls:
HARDENINGFor Desigo CC V6 and V7: contact Siemens for guidance on long-term upgrade path or compensating controls, as no patch is available for these versions
HARDENINGFor SENTRON Powermanager V6 and V7: contact Siemens for guidance on long-term upgrade path or compensating controls, as no patch is available for these versions
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/545fe62b-63ba-4681-ac25-7822cb7954aa