OTPulse

Out of Bound Read Vulnerability in TPM 2.0

MonitorCVSS 6.6SSA-628843Apr 14, 2026
Siemens
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

An out-of-bounds read vulnerability in the Trusted Platform Module (TPM) of multiple Siemens industrial PC models could allow a local user to read memory beyond intended boundaries. This may expose sensitive information stored in or accessed by the TPM, such as encryption keys, or cause the TPM to stop functioning (denial of service). The vulnerability affects several product lines including SIMATIC IPC BX-series, PX-series, RW-series, MD-series, and SIMATIC Field PG series panels. Siemens has released firmware updates for some products but has marked others as end-of-life with no fix planned.

What this means
What could happen
An attacker with local access to a Siemens industrial PC could read memory beyond intended bounds in the Trusted Platform Module, potentially exposing sensitive cryptographic keys or causing the TPM to become unavailable. This could compromise the security of system components that rely on TPM for encryption or attestation.
Who's at risk
Siemens industrial PCs used in manufacturing control systems, panel PCs for operator interfaces, and integrated engineering workstations. Primarily affects facilities running automation systems that depend on the TPM for secure boot or key storage. Organizations using either CN 4100 series, Field PG series, IPC 2xxE/4xxE/6xxE/8xxE series, or SIPLUS IPC427E in their control systems should assess which products they operate.
How it could be exploited
An attacker with local user-level access to the affected industrial PC interacts with the TPM through normal operating system interfaces. By sending a specially crafted request that exceeds the expected buffer size, they can read data from adjacent memory regions, bypassing access controls. The local requirement means the attacker must first have a foothold on the machine, either through credential compromise, malware, or physical access.
Prerequisites
  • Local user-level account on the industrial PC
  • Ability to interact with TPM interfaces (typically available to any local user)
  • Affected firmware version installed
Local access requiredLow complexity attackMultiple products without patchesAffects cryptographic security functionsNo authentication verification within TPM check
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (24)
14 with fix7 pending3 EOL
ProductAffected VersionsFix Status
SIMATIC CN 4100All versionsNo fix (EOL)
SIMATIC Field PG M5All versionsNo fix yet
SIMATIC Field PG M6All versionsNo fix yet
SIMATIC IPC BX-32A< 29.01.0929.01.09
SIMATIC IPC BX-39A< 29.01.0929.01.09
Remediation & Mitigation
0/7
Do now
0/2
HARDENINGFor end-of-life products with no available fixes (CN 4100, Field PG M5/M6, IPC227E, IPC277E, IPC627E, IPC647E, IPC677E, IPC847E, ITP1000), restrict local user access to only trusted personnel and monitor for unauthorized local login attempts
WORKAROUNDDisable unused TPM functions or services on products without available fixes if operationally feasible
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

SIMATIC IPC BX-32A
HOTFIXUpdate SIMATIC IPC BX-32A, BX-39A, and PX-32A, PX-39A, PX-39A PRO to firmware version 29.01.09 or later
SIMATIC IPC BX-56A
HOTFIXUpdate SIMATIC IPC BX-56A and BX-59A to firmware version 32.01.09 or later
SIMATIC IPC MD-57A
HOTFIXUpdate SIMATIC IPC MD-57A to firmware version 30.01.10 or later
SIMATIC IPC RW-528A
HOTFIXUpdate SIMATIC IPC RW-528A and RW-548A to firmware version 34.01.02 or later
SIMATIC IPC427E
HOTFIXUpdate SIMATIC IPC427E, IPC477E, and IPC477E PRO to firmware version 21.01.20 or later
View full Siemens ProductCERT advisory
API: /api/v1/advisories/7a9484fc-61fc-4613-a85d-698d51a6dd11

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.