VDB
ICSA-21-257-07
ICSA-21-257-07
PUBLISHED
CVSS 9.800000190734863 CRITICAL
A buffer overflow vulnerability in the integrated web server of multiple APOGEE and TALON automation devices could allow a remote attacker to execute arbitrary code on the devices with root privileges. Affected devices include the APOGEE MBC/MEC/PXC P2 Ethernet devices with Power Open Processors (PPC), APOGEE PXC BACnet devices, and TALON TC BACnet devices. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where updates are not, or not yet available.
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:T/RC:C
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| TALON TC Modular (BACnet) | ||
| APOGEE PXC Compact (P2 Ethernet) | ||
| APOGEE MEC (PPC) (P2 Ethernet) | ||
| APOGEE PXC Compact (BACnet) | ||
| TALON TC Compact (BACnet) | ||
| APOGEE PXC Modular (BACnet) | ||
| APOGEE MBC (PPC) (P2 Ethernet) | ||
| APOGEE PXC Modular (P2 Ethernet) |
Exploit Intelligence
- https://cert-portal.siemens.com/productcert/csaf/ssa-944498.json (circl)
- https://cert-portal.siemens.com/productcert/txt/ssa-944498.txt (circl)
- https://cert-portal.siemens.com/productcert/pdf/ssa-944498.pdf (circl)
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-257-07.json (circl)
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-257-07 (circl)
- https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 (circl)
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices (circl)
- https://www.cisa.gov/topics/industrial-control-systems (circl)
- https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf (circl)
- https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf (circl)
…and 1 more exploits
Timeline
- Sep 14, 2021 CVE Published
- May 6, 2025 CVE Updated
References
- https://cert-portal.siemens.com/productcert/csaf/ssa-944498.json advisory
- https://cert-portal.siemens.com/productcert/txt/ssa-944498.txt advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-944498.pdf advisory
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-257-07.json advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-257-07 advisory
- https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 url
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices url
- https://www.cisa.gov/topics/industrial-control-systems url
- https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf url
- https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf url
- https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B url