CVE-2024-38355 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial automation and control systems, particularly those using SIMATIC WinCC, SIMATIC PCS neo, TIA Administrator, or Industrial Edge applications. Asset owners in critical infrastructure sectors (energy, manufacturing, water/wastewater) with OT environments dependent on these products should prioritize patching. Security teams responsible for industrial control system security and network defenders monitoring OT/ICS environments should implement compensating controls for unpatched systems.

Technical summary

CVE-2024-38355 is a denial-of-service vulnerability in Socket.IO, a widely-used Node.js real-time communication library. A specially crafted packet can trigger an uncaught exception on the server, terminating the Node.js process. This vulnerability affects 12 Siemens industrial products that incorporate vulnerable Socket.IO versions. The issue was originally fixed in Socket.IO 4.6.2 (May 2023) with commit `15af22fc22`, with a backport to the 2.x branch (commit `d30630ba10`). Siemens has released patches for 10 of the 12 affected products; two products (SIMATIC WinCC Runtime Professional V17 and SIMATIC WinCC V7.4) have no planned fixes. The vulnerability has a CVSS 3.1 score of 7.3 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network-based attack with low complexity, no privileges required, and impacts to confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade affected Siemens products to the vendor-specified fixed versions where available: AI Model Deployer to V1.1 or later; Data Flow Monitoring Industrial Edge Device User Interface to V0.0.6 or later; LiveTwin to V2.
• 4 or later; SIMATIC PCS neo V4.1 to Update 2 or later; SIMATIC PCS neo V5.0 to Update 1 or later; SIMATIC WinCC Runtime Professional V18 to Update 5 or later; SIMATIC WinCC Runtime Professional V19 to Update 3 or later;
• SIMATIC WinCC V7.5 to SP2 Update 18 or later; SIMATIC WinCC V8.0 to Update 5 or later; and TIA Administrator to V3.0.3 or later.
• For products with no planned fix (SIMATIC WinCC Runtime Professional V17 and SIMATIC WinCC V7.4), implement network segmentation to restrict Socket.IO traffic to trusted sources, apply additional monitoring for anomalous
• packet patterns, and consider upgrading to a supported product version.
• Where upgrading Socket.IO directly is possible, ensure [email protected] or later (or the 2.x branch backport) is deployed.
• As a temporary mitigation for unpatched systems, attach an error event listener to catch uncaught exceptions and prevent process termination, though this does not eliminate the underlying vulnerability.
• Review CISA's ICS recommended practices for defense-in-depth strategies applicable to industrial control environments.

Evidence notes

CVE description confirms the vulnerability exists in Socket.IO and was fixed in [email protected] (May 2023). CISA CSAF advisory ICSA-24-256-08 identifies 12 Siemens products as affected, with remediation details showing vendor fixes released between November 2024 and January 2025 for most products. Two products (SIMATIC WinCC Runtime Professional V17 and SIMATIC WinCC V7.4) are marked as having no fix planned.

Official resources