CVE-2024-4877 Siemens CVE debrief

Who should care

Administrators and operators responsible for Siemens SINEMA Remote Connect Client, especially in environments where the client UI connects through the Interactive Service. Security teams should also care because the issue can enable user impersonation if an attacker already has the required privilege.

Technical summary

The advisory describes a named-pipe server name collision scenario. If an attacker with SeImeprsonatePrivilege creates a pipe server matching the name used by the Interactive Service, a UI such as OpenVPN-GUI that connects to it could allow the attacker to impersonate the user running that UI. CISA’s source material assigns CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

Defensive priority

Medium. The CVSS score is not high, but the impact includes user impersonation and the affected product is used in remote connectivity contexts. Patch planning should be prompt, especially where the client is deployed on operator workstations.

Recommended defensive actions

• Update Siemens SINEMA Remote Connect Client to V3.2 SP3 or later.
• Identify all hosts running the affected client and confirm version status before the next maintenance window.
• Apply least-privilege controls on operator workstations and restrict unnecessary high-privilege local access.
• Follow Siemens and CISA industrial control system defensive guidance for hardening and defense in depth.
• Validate that only trusted administrative users can install, modify, or run privileged local services on affected endpoints.

Evidence notes

Primary evidence comes from CISA advisory ICSA-25-072-10, which cites Siemens advisory SSA-615740 for CVE-2024-4877. The source text explicitly states the named-pipe collision and user impersonation condition, and lists the remediation as V3.2 SP3 or later. The CVE and source publication dates supplied in the corpus are 2025-03-11.

Official resources