Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Siemens, Schneider Electric Address Serious Vulnerabilities in ICS Products

Siemens and Schneider Electric on Tuesday informed customers about the availability of patches and mitigations for several potentially serious vulnerabilities affecting their industrial control system (ICS) products.

Siemens and Schneider Electric on Tuesday informed customers about the availability of patches and mitigations for several potentially serious vulnerabilities affecting their industrial control system (ICS) products.

Siemens has released six new advisories and updated 18 previous advisories. The new advisories describe vulnerabilities affecting the company’s SICAM, SIMATIC, SIPLUS, LOGO! 8, SENTRON, SIRIUS, and XHQ products.

In LOGO! 8 and SIPLUS devices, the company fixed eight vulnerabilities, including a critical flaw that can allow an attacker who has network access to gain complete control over the targeted device.

Siemens has also started releasing patches for its SIPLUS, SIMATIC ITC, SIMATIC WinCC and SIMATIC HMI Panel products to fix several vulnerabilities discovered last year by Kaspersky in the TightVNC open source virtual network computing (VNC) system. The flaws include critical and high-severity issues that can be exploited for arbitrary code execution or DoS attacks.

The German industrial giant has also updated its XHQ Operations Intelligence products to address information disclosure, XSS, SQL injection, and CSRF vulnerabilities, including ones that have been classified as high severity.

Siemens has also released an advisory to inform customers that some of its products are affected by one of the recently disclosed Amnesia:33 vulnerabilities affecting TCP/IP stacks. Researchers have discovered 33 security holes and they have been found to impact millions of IoT and OT devices from 150 vendors, but Siemens says its SENTRON PAC devices and SIRIUS 3RW5 communication module are only affected by one of the Amnesia:33 vulnerabilities, one that can be exploited for DoS attacks.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

As for Schneider Electric, the company released a total of nine new advisories on Tuesday and updated several previous advisories.

Advertisement. Scroll to continue reading.

A majority of the new advisories address vulnerabilities identified in Schneider’s Modicon industrial controllers. One of these flaws was discovered by researchers at industrial cybersecurity firm Claroty, which published a blog post describing its findings on Tuesday. Last month, Schneider and Claroty disclosed several encryption vulnerabilities allowing hackers to take control of some Modicon PLCs.

Schneider informed customers this week that patches and mitigations are available for high- and medium-severity information disclosure, DoS, code execution, command execution, and account credential exposure issues. It’s worth noting that DoS vulnerabilities can have a bigger impact in the case of ICS compared to IT systems, as they can lead to disruptions in production.

Related: Critical Vulnerabilities Expose Siemens LOGO! Controllers to Attacks

Related: Schneider Electric Warns Customers of Drovorub Linux Malware

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Checkmarx has appointed Scott Gainey as Chief Marketing Officer.

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.