CVE-2024-42513 Siemens CVE debrief

Who should care

Operators, integrators, and administrators using Siemens industrial software that exposes OPC UA over HTTPS should treat this as high priority, especially where authentication is relied on for access control. This includes deployments of Industrial Edge for Machine Tools, SIMATIC Energy Manager PRO, SIMATIC IPC DiagMonitor, SIMATIC WinCC Unified, and SIMATIC WinCC V8.0 listed in the advisory.

Technical summary

The advisory identifies a flaw in the OPC UA .NET Standard Stack before version 1.5.374.158. In affected deployments, an attacker without authorization may bypass application authentication over HTTPS endpoints. CISA’s CSAF records the CVSS vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, consistent with a remotely reachable authentication-control weakness that can expose confidentiality and integrity impacts. Siemens states that the HTTPS endpoint in the OPC UA Server is deactivated by default for certain products, which reduces exposure in default configurations. The affected-product list and remediation guidance vary by product: some have vendor updates available, while others are listed as having no fix planned or no fix currently available.

Defensive priority

High. The severity is critical, and the attack path is network-reachable when the HTTPS endpoint is enabled. Prioritize exposed systems, validate whether OPC UA HTTPS is in use, and apply vendor updates where available.

Recommended defensive actions

• Check whether OPC UA HTTPS endpoints are enabled in affected Siemens products and disable them if they are not required.
• Apply vendor updates where available: SIMATIC WinCC Unified V19 Update 4 or later, SIMATIC Energy Manager PRO V7.4 Update 7 or later, SIMATIC Energy Manager PRO V7.5 Update 2 or later, and SIMATIC WinCC V8.0 Update 3 or+
• For affected products without a fix or with no fix planned, reduce exposure by keeping the HTTPS endpoint disabled by default, restricting network access, and following Siemens/CISA defense-in-depth guidance.
• Review deployments of Industrial Edge for Machine Tools, SIMATIC Energy Manager PRO V7.2/V7.3/V7.4/V7.5, SIMATIC IPC DiagMonitor, SIMATIC WinCC Unified V18/V19, and SIMATIC WinCC V8.0 for this issue.
• Use the linked Siemens and CISA advisories as the authoritative source for product-specific status and remediation.
• Validate compensating controls such as segmentation, access restrictions, and monitoring around industrial control network paths that can reach the affected service.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-25-072-09 and the Siemens ProductCERT advisory SSA-858251. The source states that CVE-2024-42513 affects the OPC UA .NET Standard Stack before 1.5.374.158 and allows an unauthorized attacker to bypass application authentication over HTTPS endpoints. Siemens notes that the HTTPS endpoint is deactivated by default for some products, meaning default configurations are not affected there. The advisory metadata also provides the publication date (2025-03-11), later republication date (2026-01-14), affected product list, and product-specific remediation status.

Official resources