PatchSiren cyber security CVE debrief

CVE-2024-54678 Siemens CVE debrief

CVE-2024-54678 is a high-severity local privilege escalation vulnerability in Siemens industrial automation software, published on 2025-08-12 and last modified on 2025-12-09. The vulnerability stems from improper sanitization of Interprocess Communication (IPC) input received through a Windows Named Pipe that is accessible to all local users. An authenticated local attacker can exploit this type confusion weakness to execute arbitrary code within the affected application context. The CVSS 3.1 score of 8.2 reflects significant impact potential including confidentiality, integrity, and availability compromise with scope change. The vulnerability affects 37 Siemens products across multiple product lines including SIMATIC PCS neo, SIMATIC STEP 7, SIMATIC WinCC, SIMOCODE ES, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, SIRIUS Soft Starter ES, and TIA Portal variants. Notably, the advisory has undergone three revisions, with the December 2025 update adding fixes for TIA Portal V17 and clarifying that no fix is expected for PCS neo V5.0.

Vendor: Siemens
Product: SIMATIC PCS neo V4.1
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2025-12-09
Advisory published: 2025-08-12
Advisory updated: 2025-12-09

Who should care

Industrial control system operators, OT security teams, manufacturing security engineers, Siemens automation platform administrators, and organizations running affected SIMATIC, SINAMICS, SIRIUS, or TIA Portal software versions in production environments.

Technical summary

The vulnerability exists in the IPC handling of affected Siemens applications on Windows platforms. A Windows Named Pipe exposed to all local users receives insufficiently sanitized input, leading to type confusion. This memory safety issue can be triggered by an authenticated local attacker to achieve arbitrary code execution within the application security context. The attack requires local access and user interaction, but successful exploitation grants high impact across confidentiality, integrity, and availability dimensions with potential scope expansion to other resources.

Defensive priority

HIGH

Recommended defensive actions

Apply vendor patches where available: Update SIMATIC STEP 7 V17 and SIMATIC WinCC V17 to Update 9 or later; update SIMATIC STEP 7 V19 and SIMATIC WinCC V19 to Update 4 or later; update SIMATIC STEP 7 V20, SIMATIC WinCC V
20, and TIA Portal Test Suite V20 to Update 4 or later; update SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later. TIA Portal Cloud V19 and V20 have been fixed in versions 5.2.1.1 and 5.2.2.2 respectively with no user action
required.
Implement operating system-level mitigations on desktop systems: Execute affected software only on Windows hosts configured with a single user account to reduce local attack surface.
Implement operating system-level mitigations on server systems: Restrict operating system access to administrators only to limit potential attacker access to the vulnerable Named Pipe.
For products with no fix available or planned (SIMATIC PCS neo V4.1, V5.0, V6.0; SIMATIC S7-PLCSIM V17; SIMATIC STEP 7 V18; SIMATIC WinCC V18; SIMOCODE ES V17-V20; SIMOTION SCOUT TIA V5.4, V5.5, V5.7; SINAMICS Startdrive
V17-V20; SIRIUS Safety ES V17-V20; SIRIUS Soft Starter ES V17-V20; TIA Portal Cloud V17-V18), prioritize network segmentation and apply defense-in-depth strategies per CISA ICS recommended practices.
Monitor for anomalous local process behavior and Named Pipe access patterns that may indicate exploitation attempts.

Evidence notes

Vulnerability description and affected product list derived from CISA CSAF advisory ICSA-25-226-03. CVSS vector and scoring confirmed in source. Remediation status and revision history extracted from advisory metadata.

Official resources

2025-08-12