CVE-2024-32742 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC CN 4100 devices in industrial environments, including manufacturing, energy, water/wastewater, and critical infrastructure sectors. Security teams responsible for OT/ICS asset protection, physical security personnel, and compliance officers managing NERC CIP or IEC 62443 requirements should prioritize assessment and remediation.

Technical summary

The Siemens SIMATIC CN 4100 contains an unrestricted USB port that lacks adequate access controls. An attacker with local physical access can connect a USB device containing an alternative operating system and boot from it, bypassing the device's native security controls. This grants the attacker complete read/write access to the filesystem, enabling data exfiltration, configuration tampering, or implant deployment. The CVSS 3.1 vector (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects physical attack vector, low complexity, no privilege requirements, scope change, and high impact across all security dimensions. The vulnerability is classified as HIGH severity with a score of 7.6.

Defensive priority

HIGH

Recommended defensive actions

• Update affected SIMATIC CN 4100 devices to version 3.0 or later as provided by Siemens
• Implement physical security controls to restrict unauthorized local access to device USB ports
• Deploy defense-in-depth strategies for industrial control systems per CISA guidance
• Monitor for unauthorized physical access attempts to critical infrastructure devices
• Review and apply CISA ICS recommended practices for securing industrial control systems

Evidence notes

Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-24-137-06. CVSS vector confirms physical attack vector (AV:P) with high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). Vendor fix confirmed via Siemens ProductCERT advisory SSA-273900.

Official resources