Connect with us

Hi, what are you looking for?



ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities

ICS Patch Tuesday: Siemens and Schneider Electric release nine new security advisories and fix 50 vulnerabilities in their industrial products.

Siemens and Schneider Electric on Tuesday released a total of nine new security advisories addressing a total of 50 vulnerabilities affecting their industrial products. 


Siemens has released five new advisories to inform customers about the availability of patches for more than 40 vulnerabilities. 

In its Simatic CN 4100 communication system, Siemens patched a critical issue that can be exploited to gain admin access and take complete control of a device, as well as a high-severity bug that can allow an attacker to bypass network isolation.

In Ruggedcom ROX products, the industrial giant fixed 21 vulnerabilities, including ones that can be exploited to obtain information, execute arbitrary commands or code, cause a DoS condition, or perform arbitrary actions through CSRF attacks. A majority have ‘critical’ or ‘high’ severity ratings, and some of these security holes impact third-party components.

Over a dozen vulnerabilities, including critical- and high-severity bugs, have been addressed in Simatic MV500 optical readers, including in their web server and third-party components. Exploitation can lead to DoS or information disclosure.

Patches have also been released for six high-severity issues in the Tecnomatix Plant Simulation software. They allow an attacker to crash the application or potentially execute arbitrary code by getting the targeted user to open specially crafted files. 

Advertisement. Scroll to continue reading.

Siemens also resolved a high-severity DoS issue in the SiPass access control system. 

Schneider Electric

Schneider Electric has released four new advisories. They cover six vulnerabilities that are specific to the company’s products and over a dozen flaws affecting a third-party component, the Codesys runtime system V3 communication server. 

The Codesys flaws impact PacDrive and Modicon controllers, Harmony HMIs, and the SoftSPS simulation runtime embedded in EcoStruxure Machine Expert. Exploitation of the security holes can lead to DoS and possibly remote code execution.

In the StruxureWare Data Center Expert (DCE) monitoring software, Schneider patched two high-severity and two medium-severity issues that can lead to unauthorized access or remote code execution.

A high-severity flaw has been patched in the Accutech Manager application for sensors, and a medium-severity information disclosure issue has been fixed in the EcoStruxure OPC UA Server Expert product.

Schneider Electric and Siemens Energy recently confirmed being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day vulnerability.

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities

Related: ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.