PatchSiren cyber security CVE debrief

CVE-2024-49849 Siemens CVE debrief

A type confusion vulnerability in Siemens TIA Portal engineering software allows arbitrary code execution when parsing malicious log files. The flaw stems from insufficient sanitization of user-controllable input during log file parsing operations. An attacker can exploit this by convincing a user to open a crafted log file in affected products, triggering type confusion and resulting in arbitrary code execution within the application context. The vulnerability carries a CVSS 3.1 score of 7.8 (HIGH severity) with local attack vector, low attack complexity, no privileges required, and user interaction required. The broad impact spans 39 Siemens products across multiple TIA Portal versions (V16-V19), including SIMATIC STEP 7, WinCC, S7-PLCSIM, and various engineering tools. Siemens has released patches for V19-based products and SIMOTION SCOUT TIA V5.6, but no fixes are planned or available for older versions, leaving organizations dependent on mitigation strategies.

Vendor: Siemens
Product: SIMATIC S7-PLCSIM V16
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-12-10
Original CVE updated: 2025-08-12
Advisory published: 2024-12-10
Advisory updated: 2025-08-12

Who should care

Industrial automation engineers, OT security teams, critical infrastructure operators, manufacturing security personnel, and organizations running Siemens TIA Portal engineering software across any version. Organizations with air-gapped or legacy engineering environments face elevated risk due to unpatched product versions.

Technical summary

The vulnerability exists in log file parsing routines across Siemens TIA Portal engineering products. Insufficient input sanitization allows attacker-controlled data to trigger type confusion, a memory safety error where an object is accessed through an incompatible type pointer. This can lead to memory corruption and arbitrary code execution within the affected application's security context. The attack requires local access with user interaction—typically social engineering to convince an engineer to open a malicious log file. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates complete confidentiality, integrity, and availability impact once exploited. Siemens has patched current versions (V19) but left legacy versions (V16-V18) unpatched, creating extended exposure windows for organizations with older deployments.

Defensive priority

HIGH

Recommended defensive actions

Apply vendor patches for supported product versions: update SIMATIC STEP 7 Safety V19, SIMATIC STEP 7 V19, SIMATIC WinCC Unified V19, SIMATIC WinCC V19 to V19 Update 4 or later
Apply vendor patch for SIMOTION SCOUT TIA V5.6: update to V5.6 SP1 HF7 or later
For TIA Portal Cloud V19 environments, ensure deployment uses V5.2.1.1 or later with TIA Portal V19 Update 4 or later
For products without available patches (V16-V18 across most product lines), implement strict file handling policies to prevent opening untrusted log files from unknown sources
Establish application whitelisting and endpoint protection on engineering workstations to limit code execution impact
Segment engineering networks from operational technology (OT) networks to contain potential compromise
Train engineering personnel on social engineering tactics used to distribute malicious files
Monitor for anomalous process execution within TIA Portal applications on engineering workstations

Evidence notes

Vulnerability disclosed via CISA ICS advisory ICSA-24-347-05 on December 10, 2024. Advisory modified August 12, 2025 to add fixes for TIA Portal V19 and update product naming conventions. CVSS vector confirms local attack with user interaction required. Siemens CSAF document SSA-800126 provides authoritative vendor guidance.

Official resources

2024-12-10