CVE-2024-4367 Cert Portal CVE debrief

Who should care

Siemens Teamcenter administrators, patch and vulnerability management teams, and security owners responsible for deployments in the affected version families listed in the advisory. Teams should pay particular attention to V2312 and V2406 instances with available update paths, and verify whether separate guidance applies to V2412, V2506, and V2512.

Technical summary

The advisory text describes a missing type check during font handling that can enable arbitrary JavaScript execution in the PDF.js context. In the supplied CISA/Siemens advisory record, that CVE is associated with Siemens Teamcenter releases, with explicit fix thresholds only for V2312 and V2406. Because the description text and the product mapping do not align cleanly, exposure should be confirmed against the official Siemens ProductCERT advisory and CISA republication before relying on the supplied product mapping.

Defensive priority

Medium; prioritize validation and patch planning promptly for any Teamcenter deployment that matches the listed affected versions.

Recommended defensive actions

• Confirm whether your Siemens Teamcenter deployment matches the affected version ranges in the official Siemens ProductCERT and CISA advisories.
• Apply the listed vendor fixes where applicable: update Teamcenter V2312 to 2312.0009 or later, and V2406 to 2406.0006 or later.
• Check the official Siemens advisory for any separate guidance covering V2412, V2506, and V2512, since the supplied record lists those versions but does not include matching remediation entries.
• Treat the CVE description/product mapping as needing verification because the supplied record contains PDF.js/Firefox-style description text alongside Siemens Teamcenter product data.
• If immediate patching is not possible, reduce exposure by limiting access to affected Teamcenter instances and monitoring for unexpected application behavior until remediation is complete.

Evidence notes

Primary evidence comes from the supplied CISA CSAF republication of Siemens ProductCERT SSA-827383 (ICSA-26-134-04), published 2026-05-12 and revised 2026-05-14. The advisory metadata lists Siemens Teamcenter, identifies affected version families including V2312, V2406, V2412, V2506, and V2512, and provides explicit remediation entries for V2312 (2312.0009 or later) and V2406 (2406.0006 or later). The supplied description text states that a missing type check in PDF.js could allow arbitrary JavaScript execution in the PDF.js context, which does not cleanly match the Teamcenter product mapping; that inconsistency is the main evidence quality concern and should be validated against the official Siemens advisory pages linked in the source.

Official resources