PatchSiren cyber security CVE debrief

CVE-2024-35783 Siemens CVE debrief

A critical vulnerability in Siemens SIMATIC industrial control systems allows authenticated attackers to execute arbitrary OS commands with administrative privileges due to database servers running with elevated privileges. The vulnerability affects 11 products across the SIMATIC product line including BATCH, PCS 7, WinCC, Process Historian, and Information Server versions. Siemens has released patches for most affected products between September 2024 and January 2025, with only SIMATIC WinCC V7.4 having no planned fix. The CVSS 3.1 score of 9.1 reflects high impact across confidentiality, integrity, and availability with network attack vector and low attack complexity. Organizations should prioritize patching based on their specific product deployments, particularly for internet-exposed industrial control systems.

Vendor: Siemens
Product: SIMATIC BATCH V9.1
CVSS: CRITICAL 9.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-09-10
Original CVE updated: 2025-01-14
Advisory published: 2024-09-10
Advisory updated: 2025-01-14

Who should care

Organizations operating Siemens SIMATIC industrial automation and SCADA systems, particularly in critical infrastructure sectors including manufacturing, energy, water treatment, and chemical processing. Security teams responsible for operational technology (OT) environments, industrial control system administrators, and compliance officers managing IEC 62443 or NIST CSF implementations should prioritize assessment and remediation.

Technical summary

The vulnerability exists because affected SIMATIC products run their database server processes with elevated (administrative/system) privileges rather than least-privilege service accounts. An authenticated attacker with access to the system can leverage this misconfiguration to execute arbitrary operating system commands with the same elevated privileges as the database server. The attack requires high privileges (authenticated access) but has low complexity and can be executed over the network. The scope change indicator in the CVSS vector (S:C) indicates the vulnerable component impacts resources beyond its security scope. The vulnerability spans multiple product families sharing common database architecture components. Siemens remediation strategy involves updating to patched versions that properly constrain database server privileges or run services under reduced privilege contexts.

Defensive priority

critical

Recommended defensive actions

Apply vendor patches immediately for affected SIMATIC products: update SIMATIC WinCC Runtime Professional V18 to Update 5 or later, V19 to Update 3 or later; SIMATIC WinCC V7.5 to SP2 Update 18 or later; SIMATIC WinCC V8
0 to Update 5 or later; SIMATIC PCS 7 V9.1 and SIMATIC BATCH V9.1 to SP2 UC06 or later; SIMATIC Process Historian and Information Server 2020 to SP2 Update 5 or later; 2022 versions to SP1 Update 2 or later using PCS neo
V5.0 Update 1 bundled versions. For SIMATIC WinCC V7.4 with no planned fix, implement compensating controls including network segmentation, access restrictions, and migration planning to supported versions.
Restrict network access to affected systems following ICS-CERT recommended practices for defense in depth.
Monitor for anomalous database server process activity and privileged command execution on SIMATIC hosts.
Review and enforce principle of least privilege for all accounts with access to SIMATIC systems.
Validate patch deployment across all affected product instances in operational technology environments.

Evidence notes

Vulnerability disclosed in CISA ICS advisory ICSA-24-256-14 on September 10, 2024. Siemens published security advisory SSA-629254 with remediation guidance. Advisory updated multiple times through January 14, 2025 to add fix information for additional products. CVSS vector confirms network attack vector, low complexity, high privileges required, and scope change indicating impact beyond vulnerable component.

Official resources

2024-09-10