CVE-2024-45386 Siemens CVE debrief

Who should care

OT/ICS operators, administrators, and security teams responsible for Siemens SIMATIC PCS neo, SIMOCODE ES, SIRIUS Safety ES, SIRIUS Soft Starter ES, and TIA Administrator deployments.

Technical summary

The advisory states that affected products do not correctly invalidate user sessions upon logout. That means a previously issued session token may remain usable after the user believes the session has ended. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8 HIGH). The source advisory lists affected Siemens products and provides version-specific remediation, including one product family with no fix currently planned.

Defensive priority

High

Recommended defensive actions

• Upgrade SIMOCODE ES V19, SIRIUS Safety ES V19 (TIA Portal), and SIRIUS Soft Starter ES V19 (TIA Portal) to V19 Update 1 or later.
• Upgrade TIA Administrator to v3.0.4 or later.
• Upgrade SIMATIC PCS neo V4.1 to V4.1 Update 2 or later, and SIMATIC PCS neo V5.0 to V5.0 Update 1 or later.
• For SIMATIC PCS neo V4.0, note that the advisory states no fix is currently planned; apply compensating controls and monitor Siemens advisories.
• After logout, close the browser/client and remove any locally stored session tokens, as recommended by the advisory.
• If token exposure is suspected, treat the session as potentially reusable and investigate affected accounts and endpoints.

Evidence notes

The Siemens/CISA advisory text explicitly says affected products do not correctly invalidate user sessions upon logout and that a remote unauthenticated attacker who has obtained the session token by other means could reuse a legitimate user's session even after logout. The supplied advisory metadata lists seven affected products, includes product-specific remediations, and records that the 2025-05-06 modification was a revision fixing typos. The enrichment supplied for this record indicates no Known Exploited Vulnerabilities (KEV) listing.

Official resources