Multiple Vulnerabilities in INTRALOG WMS Before V5

Plan Patch8.7SSA-901508May 13, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

INTRALOG WMS before V5 contains multiple vulnerabilities in the Microsoft .NET implementation, affecting confidentiality and integrity. Vulnerabilities include insecure transmission of sensitive data (CWE-319), resource exhaustion (CWE-400), use-after-free conditions (CWE-416), insecure file operations (CWE-59), improper input validation (CWE-20), and unused authentication (CWE-407). Siemens has released V5 or later versions to address these issues.

What this means

What could happen

An attacker could intercept unencrypted warehouse management data, cause system resource exhaustion leading to service interruptions, or exploit memory safety issues to disrupt warehouse operations or access sensitive logistics information.

Who's at risk

Warehouse and logistics operations using INTRALOG WMS for inventory management, shipping, and receiving. Particularly critical for facilities that rely on WMS for real-time stock tracking and order fulfillment decisions. Water authorities or utilities using INTRALOG for material management systems are affected if running versions before V5.

How it could be exploited

An attacker with network access to the INTRALOG WMS application could exploit weak encryption of sensitive data in transit, send malformed requests to exhaust system resources, or trigger use-after-free conditions through specially crafted input to compromise system availability or steal warehouse data.

Prerequisites

Network access to INTRALOG WMS application port
INTRALOG WMS version earlier than V5 deployed

remotely exploitablelow complexityhigh CVSS score (8.7)affects data confidentiality and integrityno authentication required for some attack vectors

Exploitability

Moderate exploit probability (EPSS 4.4%)

Affected products (1)

ProductAffected VersionsFix Status

INTRALOG WMS< V55 or later version

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate INTRALOG WMS to version 5 or later

CVEs (8)

CVE-2024-0056 CVE-2024-20672 CVE-2024-30105 CVE-2024-35264 CVE-2024-38081 CVE-2024-38095 CVE-2024-43483 CVE-2024-43485

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1a457fce-306a-4e73-b4d4-8f23ad460b0d