Security Experts:

Connect with us

Hi, what are you looking for?



Siemens Warns of Security Risks Associated With Use of ActiveX

Siemens this week addressed several vulnerabilities and warned customers about the security risks associated with the use of ActiveX in industrial products.

Siemens this week addressed several vulnerabilities and warned customers about the security risks associated with the use of ActiveX in industrial products.

Microsoft’s ActiveX controls make it possible for websites to provide certain types of content, such as videos and games, and they allow users to interact with certain types of elements in the browser, such as toolbars. However, ActiveX has been known to pose serious security risks and it’s currently only supported by Microsoft on Internet Explorer — ActiveX is not supported by other browsers such as Chrome, Safari or Firefox.

Even Microsoft has advised Internet Explorer 11 users not to disable security settings that prevent the downloading and execution of ActiveX controls, unless absolutely necessary. Malicious hackers can abuse ActiveX to collect information about a user, install malware, or take control of a device.

Some of Siemens’ industrial products — the list includes SIMATIC WinCC, SIMATIC STEP 7, SIMATIC PCS 7, TIA Portal, and S7-PLCSIM Advanced — rely on ActiveX components and customers need to use Internet Explorer to execute these components.

However, the German industrial giant has warned that using Internet Explorer to access untrusted websites can pose serious security risks. Siemens recommends using a web browser that does not support ActiveX if accessing web pages other than the ones associated with the company’s products.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s 2020 ICS Cyber Security Conference

Siemens also informed customers this week that it has patched a high-severity authentication bypass vulnerability in its SCALANCE X industrial switches. According to the company, an unauthenticated attacker with network access to the targeted switch can hack the device by sending a specially crafted GET request to a specific URI on the web-based configuration interface.

Researcher Maxim Rupp, who reported the vulnerability to Siemens, told SecurityWeek that an attacker could exploit this weakness to obtain sensitive internal information, access the device’s configuration interface, and change its settings. Rupp said he reported the flaw to Siemens in early 2019.

The vulnerability has been patched in SCALANCE X-300 and X408 switches, and the vendor has provided mitigations for other affected devices.

Siemens also patched a critical vulnerability in SINEMA Server that can allow an authenticated user with low privileges to perform firmware updates and other operations on a device.

The advisories published this week by Siemens also address a high-severity local privilege escalation vulnerability in TIA Portal, which can allow an attacker to execute code with SYSTEM privileges, and a medium-severity access control issue in SINAMICS PERFECT HARMONY.

Related: Hackers Can Use Rogue Engineering Stations to Target Siemens PLCs

Related: Hackers Can Exploit Siemens Control System Flaws in Attacks on Power Plants

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.