Publication Date:
Last Update:
Current Version: V1.3
CVSS v3.1 Base Score: 9.0
Affected Product and Versions Remediation

All versions < V14.2023-08-23
affected by all CVEs

CAPE V14 installations installed from material dated 2023-08-23 or later are not affected, as they contain a fixed version of CodeMeter Runtime.

For installations of CAPE V14 using material earlier than 2023-08-23: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.


All versions < V15.0.22
affected by all CVEs
Update to V15.0.22 or later version
For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions < V34.9.6
affected by all CVEs
Update to V34.9.6 or later version
For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions < V35.6.1
affected by all CVEs
Update to V35.6.1 or later version
For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions
affected by all CVEs
Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions < V13.1.12.1
affected by all CVEs
Update to V13.1.12.1 or later version
For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions
affected by all CVEs
Currently no fix is planned

All versions
affected by all CVEs
Currently no fix is planned

All versions < V3.17 P030
affected by all CVEs

All versions < V3.18 P021
affected by all CVEs

All versions < V3.19 P006
affected by all CVEs

All versions >= V10.0 < V11.2
affected by all CVEs

All versions < V1.0 SP2 Update 2
affected by all CVEs
Update to V1.0 SP2 Update 2 or later version

All versions
affected by all CVEs
Currently no fix is planned
  • If CodeMeter Runtime is configured as server: Limit remote access to systems where the CodeMeter Runtime network server is running
  • If CodeMeter Runtime is configured as client only in the affected product: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

CVSS v3.1 Base Score 9.0
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-122: Heap-based Buffer Overflow

For more details regarding the vulnerability in CodeMeter Runtime refer to:

The attack vector and impact depends on the configuration of CodeMeter Runtime (i.e., CodeMeter.exe) on a vulnerable product:

  • If CodeMeter Runtime is configured as a server: an unauthenticated remote attacker could execute code on the system
  • If CodeMeter Runtime is configured as a client: an authenticated local attacker could gain root/admin privileges on the system.

https://www.siemens.com/cert/advisories
V1.0 (2023-09-12): Publication Date
V1.1 (2023-10-10): Added fix for PSS(R)E V35, SIMATIC WinCC OA V3.17 and SIMATIC WinCC OA V3.18; no fix planned for SIMATIC PCS neo V4.0
V1.2 (2023-12-12): Added fix for SINEC INS
V1.3 (2024-05-14): Added fix for SIMIT Simulation Platform