Publication Date:
Last Update:
Current Version: V1.0
CVSS v3.1 Base Score: 9.0
Affected Product and Versions Remediation

All versions < V14.2023-08-23

CAPE V14 installations installed from material dated 2023-08-23 or later are not affected, as they contain a fixed version of CodeMeter Runtime.
For installations of CAPE V14 using material earlier than 2023-08-23: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.


All versions < V15.0.22

For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions < V34.9.6

For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions
Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions
Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions < V13.1.12.1

For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

All versions

All versions

All versions

All versions

All versions < V3.19 P006

All versions
Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts

All versions

All versions
  • If CodeMeter Runtime is configured as server: Limit remote access to systems where the CodeMeter Runtime network server is running
  • If CodeMeter Runtime is configured as client only in the affected product: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

CVSS v3.1 Base Score 9.0
CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE CWE-122: Heap-based Buffer Overflow

For more details regarding the vulnerability in CodeMeter Runtime refer to:

The attack vector and impact depends on the configuration of CodeMeter Runtime (i.e., CodeMeter.exe) on a vulnerable product:

  • If CodeMeter Runtime is configured as a server: an unauthenticated remote attacker could execute code on the system
  • If CodeMeter Runtime is configured as a client: an authenticated local attacker could gain root/admin privileges on the system.

https://www.siemens.com/cert/advisories

V1.0 (2023-09-12): Publication Date