PatchSiren cyber security CVE debrief
CVE-2022-44725 Siemens CVE debrief
A local privilege escalation vulnerability exists in the OPC Foundation Local Discovery Server (LDS) component used across multiple Siemens industrial products. The LDS employs a hard-coded file path to load its configuration file. A low-privileged local attacker can place a malicious file at this predictable location, which the LDS then loads while executing with elevated privileges. This allows the attacker to achieve arbitrary code execution with high-level permissions. The vulnerability was published on 2023-04-11 and affects 12 Siemens product lines including SIMATIC NET PC Software (versions 14–18), SIMATIC WinCC variants, SIMATIC Process Historian OPC UA Servers, TeleControl Server Basic, and OpenPCS 7. Siemens has released patches for most affected products; however, OpenPCS 7 V9.1, SIMATIC NET PC Software V14/V15, and SIMATIC Process Historian 2020 OPC UA Server have no planned fixes. Organizations should apply vendor updates where available and implement strict file system permissions and application whitelisting as compensating controls for unpatched systems.
- Vendor
- Siemens
- Product
- OpenPCS 7 V9.1
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-04-11
- Original CVE updated
- 2025-09-09
- Advisory published
- 2023-04-11
- Advisory updated
- 2025-09-09
Who should care
Organizations operating Siemens industrial automation and control systems, particularly those using SIMATIC NET PC Software, SIMATIC WinCC, SIMATIC Process Historian, TeleControl Server Basic, or OpenPCS 7. Asset owners in manufacturing, energy, water/wastewater, and critical infrastructure sectors where these HMI/SCADA components are deployed should prioritize patching or implementing compensating controls.
Technical summary
The OPC Foundation Local Discovery Server (LDS) in affected Siemens products uses a hard-coded file path when loading its configuration file. Because the LDS service runs with elevated privileges, a local attacker with low privileges can create a malicious file at the predictable path, causing the LDS to load attacker-controlled content during initialization. This results in privilege escalation to the service account context (typically SYSTEM or equivalent). The attack requires local access and no user interaction, with low attack complexity. CVSS 3.1 score: 7.8 (High).
Defensive priority
high
Recommended defensive actions
- Apply vendor-supplied updates for affected Siemens products per the specific version guidance: SIMATIC NET PC Software V16 to Update 8 or later, V17 to SP1 Update 1 or later, V18 to Update 1 or later; SIMATIC WinCC to V8
- resourceLinkAnnotations
- resourceLinkAnnotations
- resourceLinkAnnotations
- resourceLinkAnnotations
- resourceLinkAnnotations
- resourceLinkAnnotations
- resourceLinkAnnotations
Evidence notes
The vulnerability description and affected product list are derived from CISA CSAF advisory ICSA-24-102-08, which references Siemens security advisory SSA-691715. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) confirms local attack vector with low complexity and high impact on confidentiality, integrity, and availability. Remediation guidance including specific patch versions and 'no fix planned' status for certain products is documented in the CSAF remediation section.
Official resources
-
CVE-2022-44725 CVE record
CVE.org
-
CVE-2022-44725 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2023-04-11