PatchSiren cyber security CVE debrief

CVE-2024-54005 Siemens CVE debrief

CVE-2024-54005 is a medium-severity XML External Entity (XXE) vulnerability in the PDMS/E3D Engineering Interface of Siemens COMOS, published on December 10, 2024. The flaw allows attackers to extract files from known locations on user systems or accessible network folders by injecting malicious data into the communication channel between systems. The vulnerability affects multiple COMOS versions: V10.3, V10.4.0 through V10.4.4, and V10.4.4.1. Siemens has provided vendor fixes for several versions, with patches available upon request from customer support for V10.3.3.5.8 and V10.4.3.0.47, while V10.4.4.1.21 and V10.4.4.2 have direct update paths. Notably, no fix is planned for versions V10.4.0, V10.4.1, and V10.4.2, requiring organizations to upgrade to supported versions. A mitigation measure involves restricting write access to configuration files, particularly network configuration, though read-only properties alone are insufficient. The CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates local attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, with no integrity or availability impact.

Vendor: Siemens
Product: COMOS V10.3
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-12-10
Original CVE updated: 2025-05-06
Advisory published: 2024-12-10
Advisory updated: 2025-05-06

Who should care

Organizations operating Siemens COMOS engineering software in industrial environments, particularly those utilizing the PDMS/E3D Engineering Interface for external application integration. Critical infrastructure operators, chemical/petrochemical facilities, and power generation facilities using COMOS for plant design and engineering should prioritize assessment due to potential sensitive file extraction risks.

Technical summary

The PDMS/E3D Engineering Interface in Siemens COMOS improperly handles XML External Entity (XXE) entries during communication with external applications. An attacker can inject malicious XML data into the inter-system communication channel to extract arbitrary files from known locations on the user's system or accessible network folders. The vulnerability requires local access with high attack complexity but no privileges or user interaction. Multiple COMOS versions are affected with varying remediation status: V10.3 and select V10.4.x versions have vendor fixes available, while V10.4.0-V10.4.2 have no planned fixes.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided patches for supported COMOS versions: update V10.3 to V10.3.3.5.8 or later, V10.4.3 to V10.4.3.0.47 or later, V10.4.4 to V10.4.4.2 or later, and V10.4.4.1 to V10.4.4.1.21 or later
Contact Siemens customer support to obtain patches for V10.3.3.5.8 and V10.4.3.0.47 as these require explicit request
Upgrade from unsupported versions V10.4.0, V10.4.1, and V10.4.2 to a version with available vendor fix, as no patches are planned for these releases
Restrict write access to COMOS configuration files, especially network configuration files, ensuring only administrators can modify them
Implement defense-in-depth controls for industrial control systems environments per CISA recommended practices
Monitor for anomalous XML processing activity in PDMS/E3D Engineering Interface communications
Review and validate XML parser configurations to disable external entity processing where technically feasible

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSA-24-347-08, with vendor confirmation from Siemens SSA-701627. Affected product versions and remediation status explicitly documented in source. CVSS vector and score confirmed from official advisory.

Official resources

2024-12-10