CVE-2024-23815 Siemens CVE debrief

Who should care

OT/ICS defenders and administrators running Siemens Desigo CC, especially teams responsible for network segmentation, the event port, and Installed Client deployment.

Technical summary

This issue is an authentication failure on the server side for specific client requests. Per the advisory, it can be abused through the event port to issue arbitrary SQL queries against the backend database. Exposure is highest where the event port is reachable from untrusted networks or where Installed Client hardening and zone restrictions are not enforced.

Defensive priority

High for any exposed Desigo CC deployment; lower only where access is tightly segmented and Installed Client support is disabled per vendor guidance.

Recommended defensive actions

• Restrict access to the server's event port (default: 4998/tcp) to trusted systems only.
• On the Desigo CC server, disable support for Installed Clients.
• Verify that access from Installed Clients is limited to highly protected zones and that the vendor hardening guidance is enforced.
• Review and apply Siemens cybersecurity guidance and CISA ICS recommended practices for defense-in-depth and segmentation.
• Inventory Desigo CC deployments to confirm whether the event port is exposed outside the intended OT trust boundary.

Evidence notes

Source corpus is the CISA CSAF advisory ICSA-25-135-04 (published 2025-05-13) and Siemens advisory SSA-523418. The corpus explicitly states the authentication failure, the default event port 4998/tcp, the mitigations to restrict port access and disable Installed Client support, and the added zone/hardening caveat. No affected version range, fixed release, or KEV entry is supplied in the corpus.

Official resources