SSA-523418

Siemens Security Advisory by Siemens ProductCERT

SSA-523418: Information Disclosure Vulnerability in Desigo CC

Publication Date:	2025-05-13
Last Update:	2025-05-13
Current Version:	V1.0
CVSS v3.1 Base Score:	7.5
CVSS v4.0 Base Score:	8.7

SUMMARY

Desigo CC deployments that use Installed Client are impacted by an information disclosure vulnerability which could result in information leak from the Desigo CC server. The other Desigo CC client options, Windows App Client and Flex Client, are not affected by this vulnerability.

Siemens recommends specific countermeasures for products where fixes are not, or not yet available.

AFFECTED PRODUCTS AND SOLUTION

Un-/Collapse All

Affected Product and Versions	Remediation
Desigo CC	On the Desigo CC server, disable the support for Installed Clients Restrict access to the server's event port (default: 4998/tcp)
Desigo CC All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone affected by CVE-2024-23815	On the Desigo CC server, disable the support for Installed Clients Restrict access to the server's event port (default: 4998/tcp)
Desigo CC All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones affected by CVE-2024-23815	On the Desigo CC server, disable the support for Installed Clients Restrict access to the server's event port (default: 4998/tcp)

WORKAROUNDS AND MITIGATIONS

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

Desigo CC is the integrated building management platform for managing high-performing buildings. With its open design, it has been developed to create comfortable, safe and efficient facilities. It is easily scalable from simple single-discipline systems to fully integrated buildings.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2024-23815

The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp)

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score	8.7
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-306: Missing Authentication for Critical Function

Product-Specific Vulnerability Description

For the following products, the impact of the vulnerability is different.

Desigo CC:

If access from Installed Clients to Desigo CC server is only allowed within highly protected zones: Exploitation of this issue requires an attacker to get access to an Installed Client application in the "highly protected zone" (i.e. a physically separated private network), and bypass the hardening measures as described by Desigo CC Cybersecurity Guideline.

CVSS v3.1 Base Score	5.7
CVSS v3.1 Vector	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Michelin CERT for reporting the vulnerability

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2025-05-13):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.