CVE-2023-52891 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC Energy Manager, SIMATIC IPC diagnostic tools, or SIMIT simulation software with OPC UA server functionality enabled. Industrial control system operators in manufacturing, energy, and process industries relying on these products for operations or diagnostics.

Technical summary

The vulnerability stems from the Unified Automation .NET-based OPC UA Server SDK before version 3.2.2, which is incorporated into Siemens SIMATIC Energy Manager Basic, SIMATIC Energy Manager PRO, SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, SIMIT V10, and SIMIT V11. A successful attack can trigger a high-load situation leading to memory exhaustion and server blocking. The issue is analogous to CVE-2023-27321 in the OPC Foundation UA .NET Standard implementation. CVSS 3.1 score: 5.3 (Medium).

Defensive priority

medium

Recommended defensive actions

• For SIMIT V11: Update to version 11.1 or later
• For SIMATIC Energy Manager Basic/PRO: Update to version 7.5 or later
• For SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, and SIMIT V10: No vendor fix is planned; apply compensating controls
• Disable the OPC UA server if it is not required
• Restrict OPC UA interface access to trusted clients only
• Monitor OPC UA servers for anomalous memory consumption or connection patterns
• Implement network segmentation to limit OPC UA exposure
• Apply defense-in-depth strategies per CISA ICS recommended practices

Evidence notes

CVE published 2024-07-09; modified 2025-05-06. CISA ICS advisory ICSA-24-193-07. Siemens security advisory SSA-088132. CVSS 5.3 (Medium). Not in CISA KEV.

Official resources