SSA-827383

Siemens Security Advisory by Siemens ProductCERT

SSA-827383: Multiple Vulnerabilities in Teamcenter

Publication Date:	2026-05-12
Last Update:	2026-05-12
Current Version:	V1.0
CVSS v3.1 Base Score:	7.5
CVSS v4.0 Base Score:	8.7

SUMMARY

Siemens Teamcenter is affected by multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality.

Siemens has released new versions for the affected products and recommends to update to the latest versions.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
Teamcenter	Show more details
Teamcenter V2312	Show more details
Teamcenter V2312 All versions < V2312.0014 affected by multiple CVEs CVE-2026-33862 CVE-2026-33893	Update to V2312.0014 or later version https://support.sw.siemens.com/product/282219420/
Teamcenter V2312 All versions < V2312.0009 affected by CVE-2024-4367	Update to V2312.0009 or later version https://support.sw.siemens.com/product/282219420/
Teamcenter V2406	Show more details
Teamcenter V2406 All versions < V2406.0012 affected by multiple CVEs CVE-2026-33862 CVE-2026-33893	Update to V2406.0012 or later version https://support.sw.siemens.com/product/282219420/
Teamcenter V2406 All versions < V2406.0006 affected by CVE-2024-4367	Update to V2406.0006 or later version https://support.sw.siemens.com/product/282219420/
Teamcenter V2412 All versions < V2412.0009 affected by multiple CVEs CVE-2026-33862 CVE-2026-33893	Update to V2412.0009 or later version https://support.sw.siemens.com/product/282219420/
Teamcenter V2506 All versions < V2506.0005 affected by multiple CVEs CVE-2026-33862 CVE-2026-33893	Update to V2506.0005 or later version https://support.sw.siemens.com/product/282219420/

KNOWN NOT AFFECTED PRODUCTS

Un-/Collapse All

Known Not Affected Products	Reason
Teamcenter V2512 All versions not affected by all CVEs CVE-2024-4367 CVE-2026-33862 CVE-2026-33893	Vulnerable component not present (Component Not Present)

MITIGATIONS

Product-specific remediations or mitigations can be found in the section Known Affected Products.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

Teamcenter software is a modern, adaptable product lifecycle management (PLM) system that connects people and processes, across functional silos, with a digital thread for innovation.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2024-4367

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVSS v3.1 Base Score	5.6
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE	CWE-754: Improper Check for Unusual or Exceptional Conditions

Vulnerability CVE-2026-33862

The affected application does not properly encode or filter user-supplied data. This could allow an attacker to inject malicious code that can be executed by other users when they visit the affected page.

CVSS v3.1 Base Score	7.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS v4.0 Base Score	8.5
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability CVE-2026-33893

The affected application contains hardcoded key which is used for obfuscation stored directly into the application. This could allow an attacker to obtain these keys and misuse them to gain unauthorized access.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score	8.7
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-798: Use of Hard-coded Credentials

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Dustin Born, Robin Plugge, and Tim Wörner from usd AG for coordinated disclosure

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2026-05-12):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.