Multiple Vulnerabilities in Apogee PXC and Talon TC Devices
Monitor7.5SSA-615116Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Apogee PXC and Talon TC building automation controllers contain two vulnerabilities: (1) an out-of-bounds read that allows remote attackers to send a crafted packet causing the device to crash and restart (denial of service), and (2) weak password encryption that allows attackers to decrypt stored administrative credentials. Both vulnerabilities require only network access with no authentication. Siemens has not released firmware patches for any version of these products and recommends network protection and segmentation as countermeasures.
What this means
What could happen
An attacker could crash these building automation controllers, forcing them to restart and disrupting climate control and facility management operations. The attacker could also decrypt stored device passwords, gaining administrative access to change setpoints or disable monitoring.
Who's at risk
Building automation and facilities management operators running Siemens Apogee PXC or Talon TC controllers. These devices are commonly used in commercial buildings, hospitals, universities, and data centers for HVAC, lighting, and environmental control. Any organization with these controllers connected to a network is at risk.
How it could be exploited
An attacker on the network sends a specially crafted packet to the BACnet or Ethernet port of a PXC or TC device. The out-of-bounds read causes the device to crash into a cold restart state. Separately, weak password encryption on the device allows the attacker to recover administrative credentials offline from captured traffic or device memory.
Prerequisites
- Network access to port 47808 (BACnet) or port 502 (P2 Ethernet)
- No authentication required to send the malicious packet
- Device must be reachable from attacker's network segment
remotely exploitableno authentication requiredlow complexityno patch availableaffects facility operations (HVAC, climate control)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
APOGEE PXC Series (BACnet)All versionsNo fix (EOL)
TALON TC Series (BACnet)All versionsNo fix (EOL)
APOGEE PXC Series (P2 Ethernet)All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2APOGEE PXC Series (BACnet)
WORKAROUNDRestrict network access to PXC and TC devices using firewall rules to block inbound connections on ports 47808 (BACnet) and 502 (P2 Ethernet) from untrusted network segments
All products
HARDENINGChange all administrative credentials on affected devices immediately
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
APOGEE PXC Series (BACnet)
HARDENINGMonitor network traffic to PXC and TC devices for suspicious BACnet or Ethernet packets
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: APOGEE PXC Series (BACnet), TALON TC Series (BACnet), APOGEE PXC Series (P2 Ethernet). Apply the following compensating controls:
HARDENINGSegment building automation network from general IT network and untrusted zones using VLANs or separate physical networks
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/295bb21b-49f7-4522-a47d-f035872eeeb2