Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities

The 15 new advisories released by Siemens and Schneider Electric this Patch Tuesday address a total of 43 vulnerabilities, including ones that have been assigned a “critical” severity rating.

The 15 new advisories released by Siemens and Schneider Electric this Patch Tuesday address a total of 43 vulnerabilities, including ones that have been assigned a “critical” severity rating.

Siemens has released 12 advisories covering 35 vulnerabilities. Based on CVSS scores, the most important advisory covers 11 flaws affecting the web server of SICAM P850 and P855 devices.

One of these bugs is critical and it allows an unauthenticated attacker to execute arbitrary code or launch a denial-of-service (DoS) attack. The five high-severity vulnerabilities covered by the advisory can lead to DoS attacks, code execution, traffic capturing and interfering with device functionality, cross-site scripting (XSS) attacks, or access to a device’s management interface.

Critical and high-severity vulnerabilities have also been found in Desigo PXC3, PXC4, PXC5 and DXR2 devices. These flaws can be exploited for arbitrary code execution, and password spraying or credential stuffing attacks.

High-severity code execution issues have been identified in Simcenter Femap, JT2Go and Teamcenter Visualization, and various Siemens industrial products that use the cURL library.

Learn more about vulnerabilities in industrial systems at

SecurityWeek’s ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

High-severity flaws that can be leveraged for DoS attacks have been discovered in Desigo DXR and PXC controllers, the CP 44x-1 RNA communication processor modules, Teamcenter, and various industrial products that use OPC Local Discovery Server.

A high-severity vulnerability that can be exploited by an authenticated attacker to escape the Kiosk Mode in SIMATIC WinCC has also been disclosed.

Siemens has started releasing patches for these vulnerabilities, but fixes are currently not available for all impacted products.

Schneider Electric has released three advisories to inform customers about eight vulnerabilities. Six of these flaws affect some Wiser Smart home automation products, including a critical hardcoded credentials issue, and high-severity vulnerabilities that can be exploited for brute-force attacks, admin account hijacking, cross-domain attacks, and obtaining authentication credentials.

The company has also informed customers about a medium-severity DoS vulnerability in Saitel DP remote terminal unit (RTU) products, and a high-severity remote code execution flaw in the PowerLogic ION Setup engineering tool for metering devices.

Schneider has released patches for Saitel DP RTU and PowerLogic ION products. In the case of Wiser Smart, the affected products have reached end of life and no longer receive patches, but the company has made available some mitigations.

Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities

Related: Siemens Addresses Over 90 Vulnerabilities Affecting Third-Party Components

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...