CVE-2024-26276 Siemens CVE debrief

Who should care

Organizations using Siemens JT2Go or Teamcenter Visualization for viewing CAD files, particularly in industrial and manufacturing environments where X_T file exchange is common. Security teams in OT/ICS environments should prioritize patching during scheduled maintenance windows.

Technical summary

A stack exhaustion vulnerability exists in Siemens JT2Go and Teamcenter Visualization products when parsing specially crafted X_T (Parasolid) files. The vulnerability is triggered during file parsing operations, leading to stack exhaustion and resulting in a denial of service condition. The attack requires local access and user interaction (opening a malicious file). The CVSS 3.1 score of 3.3 reflects AV:L (local attack vector), UI:R (user interaction required), and A:L (low availability impact). Siemens has addressed this in V14.2.0.12, V14.3.0.9, and V2312.0004.

Defensive priority

routine

Recommended defensive actions

• Update JT2Go to version V2312.0004 or later
• Update Teamcenter Visualization V14.2 to version V14.2.0.12 or later
• Update Teamcenter Visualization V14.3 to version V14.3.0.9 or later
• Update Teamcenter Visualization V2312 to version V2312.0004 or later
• Avoid opening untrusted XT files in affected applications until patches can be applied
• Apply defense-in-depth practices for industrial control systems environments

Evidence notes

The vulnerability description and affected products are sourced from CISA CSAF advisory ICSA-24-165-08. Remediation guidance including specific patched versions is documented in the CSAF remediation section. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) confirms local attack vector with user interaction required.

Official resources