Unauthenticated Firmware Upload Vulnerability in Desigo PX Controllers

Act Now9.8SSA-824231Jan 24, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Desigo PXC and PXM controllers contain a vulnerability that allows unauthenticated remote firmware upload. An attacker on the network can upload arbitrary firmware to the controller without providing any credentials, potentially gaining complete control over the device and the systems it manages.

What this means

What could happen

An attacker could upload malicious firmware to Desigo PXC/PXM controllers without authentication, gaining complete control over building automation systems including HVAC, lighting, and process controls, which could disrupt facility operations or alter safety-critical setpoints.

Who's at risk

Building automation operators and facility managers using Siemens Desigo PXC or PXM controllers for HVAC, lighting, energy management, and other building systems. This affects any organization with Desigo-based building automation infrastructure in versions V4.10, V5.0, V5.10, or V6.0 running on any of the listed controller models.

How it could be exploited

An attacker on the network sends a firmware upload request to the controller's management interface (port typically 80/443 or proprietary). The controller accepts and executes the malicious firmware without verifying the attacker's identity. The attacker now has full code execution on the device.

Prerequisites

Network reachability to the Desigo controller's management interface (typically HTTP/HTTPS)
No valid credentials required

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)affects building automation and process controlsvendor patches available

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (44)

44 with fix

ProductAffected VersionsFix Status

Desigo PXC00-E.D V4.10< V4.10.1114.10.111

Desigo PXC00-E.D V5.00< V5.0.1715.0.171

Desigo PXC00-E.D V5.10< V5.10.695.10.69

Desigo PXC00-E.D V6.00< V6.0.2046.0.204

Desigo PXC00/64/128-U V4.10< V4.10.1114.10.111

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to Desigo controller management interfaces using firewall rules; only allow connections from authorized engineering workstations and management systems

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Desigo PXC/PXM controllers running V4.10.x to firmware version 4.10.111 or later

HOTFIXUpdate Desigo PXC/PXM controllers running V5.0.x to firmware version 5.0.171 or later

HOTFIXUpdate Desigo PXC/PXM controllers running V5.10.x to firmware version 5.10.69 or later

HOTFIXUpdate Desigo PXC/PXM controllers running V6.0.x to firmware version 6.0.204 or later

Long-term hardening

0/1

HARDENINGSegment Desigo controllers onto a separate building automation network isolated from general IT and external networks

CVEs (1)

CVE-2018-4834

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/21a78ac1-5dd9-46e2-aa86-a2247ddb3151