Remote Code Execution Vulnerability in SENTRON Powermanager and Desigo CC
Act NowSSA-938066Jul 8, 2025
SiemensEnergy
Summary
SENTRON Powermanager and Desigo CC devices are vulnerable to remote code execution via a path equivalence flaw in embedded Apache Tomcat. A remote attacker can send a specially crafted partial PUT request to execute arbitrary code, disclose sensitive information, or inject malicious content without authentication. All versions are affected and no patch is planned. The vulnerability could impact power system monitoring and control, as well as building energy management systems.
What this means
What could happen
An attacker could execute arbitrary code on SENTRON Powermanager or Desigo CC devices, potentially altering power system monitoring, control setpoints, or disabling critical energy management functions. This could disrupt power grid operations or allow theft of sensitive grid configuration data.
Who's at risk
Energy sector operators responsible for power generation, transmission, and distribution systems using Siemens SENTRON Powermanager for electrical infrastructure monitoring and control, or Desigo CC building management systems in critical facilities. This includes utilities, independent power producers, and facility managers at power plants and substations.
How it could be exploited
An attacker sends a specially crafted partial HTTP PUT request to the Tomcat web service running on the affected device. The request exploits a path equivalence flaw in Tomcat to bypass access controls and execute arbitrary code on the device, gaining full control of the power management or building management system.
Prerequisites
- Network access to the HTTP/HTTPS port running Tomcat on the device (typically port 8080 or 443)
- No authentication required
Remotely exploitableNo authentication requiredActively exploited (KEV)High EPSS score (94.2%)No patch availableAffects power system operations
Exploitability
Actively exploited — confirmed by CISA KEV
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SENTRON powermanagerAll versionsNo fix (EOL)
Desigo CCAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3SENTRON powermanager
HARDENINGIsolate SENTRON Powermanager and Desigo CC devices from untrusted networks using firewall rules; restrict inbound access to only authorized engineering workstations and monitoring systems
All products
HARDENINGImplement network segmentation to place power management devices on a dedicated VLAN with strict access controls and monitored ingress/egress
WORKAROUNDDisable or restrict HTTP/HTTPS access to the Tomcat web interface if not required for normal operations; if required, require VPN or jump-host access
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to and from affected devices for suspicious HTTP PUT requests or unusual connection patterns
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SENTRON powermanager, Desigo CC. Apply the following compensating controls:
HARDENINGDocument and test a recovery procedure in case of device compromise, including validated firmware images and configuration backups stored offline
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6ebd4fcf-65a8-4958-8c87-ddb135fdb90bGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.