PatchSiren cyber security CVE debrief
CVE-2024-37996 Siemens CVE debrief
CVE-2024-37996 is a null pointer dereference vulnerability in Siemens JT2Go and Teamcenter Visualization products, published on 2024-10-08 and last modified on 2025-05-06. The vulnerability exists in the XML parsing functionality of affected applications, where specially crafted XML files can trigger a null pointer dereference leading to application crash and denial of service. The CVSS 3.1 score of 3.3 (LOW severity) reflects the local attack vector and requirement for user interaction. Affected products include JT2Go and multiple versions of Teamcenter Visualization (V14.2, V14.3, V2312, V2406). Siemens has released patched versions for all affected product lines, with updates available as of the original advisory publication. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- JT Open
- CVSS
- LOW 3.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2024-07-09
- Advisory published
- 2024-07-09
- Advisory updated
- 2024-07-09
Who should care
Organizations using Siemens JT2Go or Teamcenter Visualization for CAD file viewing and collaboration, particularly in industrial and manufacturing environments where these tools are deployed for technical data visualization.
Technical summary
A null pointer dereference vulnerability exists in the XML parsing components of Siemens JT2Go and Teamcenter Visualization products. When parsing specially crafted XML files, the application fails to handle null pointer conditions, resulting in application crash and denial of service. The vulnerability requires local access and user interaction to trigger, as the victim must open a malicious XML file in the affected application. The attack does not result in confidentiality or integrity impacts, only availability impact through application termination.
Defensive priority
routine
Recommended defensive actions
- Apply vendor-provided security updates: update JT2Go and Teamcenter Visualization V2406 to V2406.0003 or later; update Teamcenter Visualization V14.2 to V14.2.0.13 or later; update Teamcenter Visualization V14.3 to V14.3
- 0.11 or later; update Teamcenter Visualization V2312 to V2312.0008 or later
- Implement user training to avoid opening untrusted XML files in affected applications until patches are deployed
- Validate XML files from untrusted sources before processing in affected applications
- Monitor for application crashes in JT2Go and Teamcenter Visualization that may indicate exploitation attempts
Evidence notes
Vulnerability details sourced from CISA CSAF advisory ICSA-24-284-03, which references Siemens security advisory SSA-959281. CVSS vector confirms local attack vector with user interaction required. Remediation guidance includes specific version updates for each affected product.
Official resources
-
CVE-2024-37996 CVE record
CVE.org
-
CVE-2024-37996 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-08