Remote Code Execution Vulnerability in SENTRON Powermanager and Desigo CC
Act NowSSA-938066Jul 8, 2025
Summary
SENTRON Powermanager and Desigo CC contain a remote code execution vulnerability in the embedded Apache Tomcat application server. The vulnerability is triggered via a partial PUT request due to a path equivalence issue, allowing a remote attacker to execute arbitrary code, disclose sensitive information, or inject malicious content into the power management or automation system.
What this means
What could happen
An attacker with network access to these devices could execute arbitrary code, potentially altering power system configurations, disrupting grid operations, or exfiltrating sensitive control system data. This directly threatens the reliability of electrical infrastructure.
Who's at risk
Power system operators, particularly Transmission System Operators (TSOs) and Distribution System Operators (DSOs), who deploy Siemens SENTRON Powermanager for power management and monitoring or Desigo CC for building and grid automation. Any electrical utility or substation using these platforms is affected.
How it could be exploited
An attacker on the network sends a specially crafted partial PUT request to the web interface of SENTRON Powermanager or Desigo CC, exploiting a path equivalence issue in the embedded Tomcat application server to bypass access controls and execute arbitrary code on the device.
Prerequisites
- Network access to the web management port (typically 80/443) of SENTRON Powermanager or Desigo CC
- No credentials required
remotely exploitableno authentication requiredactively exploited (KEV)extremely high EPSS score (94.2%)no patch availableaffects grid critical infrastructureaffects power system visibility and control
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SENTRON powermanagerAll versionsNo fix (EOL)
Desigo CCAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2SENTRON powermanager
HARDENINGImplement network segmentation and firewall rules to restrict access to SENTRON Powermanager and Desigo CC web interfaces to authorized engineering workstations only
All products
HARDENINGDeploy VPN access controls for any remote management of these devices
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor and log all access attempts to the management interfaces of affected devices
HOTFIXApply any available security updates from Siemens when released, following documented procedures and validation in a non-production environment first
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SENTRON powermanager, Desigo CC. Apply the following compensating controls:
HARDENINGReview and ensure multi-level redundant protection schemes are in place according to grid regulatory requirements
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6ebd4fcf-65a8-4958-8c87-ddb135fdb90b