PatchSiren cyber security CVE debrief

CVE-2017-9120 Siemens CVE debrief

CVE-2017-9120 is a critical integer overflow vulnerability in PHP 7.x through 7.1.5 affecting the mysqli_real_escape_string function. The vulnerability allows remote attackers to trigger a buffer overflow and application crash, or potentially achieve unspecified other impacts, by supplying an excessively long string. This flaw was originally disclosed in 2017 but was incorporated into CISA's ICS advisory ICSA-24-102-04 on April 9, 2024, as part of a bundled security update for Siemens RUGGEDCOM APE1808 devices. The advisory was subsequently updated on May 13, 2025, to include additional upstream vulnerabilities. Siemens has identified this vulnerability as affecting RUGGEDCOM APE1808 when configured with Palo Alto Networks Virtual NGFW, with remediation available through upgrading to V11.1.2-h3. The CVSS 3.1 score of 9.8 reflects network exploitable, low complexity attack requirements with no privileges or user interaction needed, and high impacts across confidentiality, integrity, and availability.

Vendor: Siemens
Product: RUGGEDCOM APE1808
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2025-05-13
Advisory published: 2024-04-09
Advisory updated: 2025-05-13

Who should care

Organizations operating Siemens RUGGEDCOM APE1808 devices with Palo Alto Networks Virtual NGFW configurations should prioritize remediation. Industrial control system operators, critical infrastructure providers, and security teams responsible for OT/ICS environments need to assess exposure and implement available patches. PHP application developers maintaining legacy PHP 7.x deployments should evaluate input validation controls and consider migration to supported PHP versions.

Technical summary

CVE-2017-9120 is an integer overflow vulnerability in PHP's mysqli_real_escape_string function present in versions 7.x through 7.1.5. The function fails to properly handle excessively long input strings, resulting in an integer overflow that can lead to heap buffer overflow conditions. This vulnerability is remotely exploitable without authentication and can cause denial of service through application crashes. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, no required privileges or user interaction, and high impact across all three security dimensions. Siemens has identified this vulnerability as affecting RUGGEDCOM APE1808 devices when configured with Palo Alto Networks Virtual NGFW, with remediation available through firmware upgrade to V11.1.2-h3.

Defensive priority

critical

Recommended defensive actions

Upgrade Palo Alto Networks Virtual NGFW to version V11.1.2-h3 on affected RUGGEDCOM APE1808 devices. Contact Siemens customer support to obtain patch and update information.
Apply network segmentation and access controls to limit exposure of affected devices to untrusted networks.
Monitor for anomalous PHP application behavior or unexpected process crashes that may indicate exploitation attempts.
Review and implement CISA ICS recommended practices for defense-in-depth strategies in industrial control environments.
Validate input length restrictions in applications utilizing mysqli_real_escape_string as a compensating control where patching is not immediately feasible.

Evidence notes

The vulnerability description and affected product information are derived from CISA CSAF source ICSA-24-102-04, which references Siemens security advisory SSA-455250. The CVSS vector and remediation guidance are extracted from the CSAF remediation section specifying Palo Alto Networks Virtual NGFW V11.1.2-h3 as the vendor fix.

Official resources

CVE-2017-9120 was originally published in 2017. CISA incorporated this vulnerability into advisory ICSA-24-102-04 on April 9, 2024, with subsequent updates on May 14, 2024; July 9, 2024; September 10, 2024; October 8, 2024; December 10, 202