VDB

ICSA-24-256-08

ICSA-24-256-08 PUBLISHED CVSS 7.300000190734863 HIGH

A Socket.IO vulnerability affects multiple Siemens industrial products. This vulnerability consists of a specially crafted Socket.IO packet that triggers an uncaught exception on the Socket.IO server killing the Node.js process allowing a remote attacker to cause Denial-of-Service condition in the affected products. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

Risk Scores

CVSS v3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products

VendorProductVersions
SIMATIC PCS neo V4.1
SIMATIC WinCC V7.4
SIMATIC WinCC V7.5
SIMATIC WinCC Runtime Professional V18
SIMATIC WinCC Runtime Professional V17
Data Flow Monitoring Industrial Edge Device User Interface (DFM IED UI)
SIMATIC PCS neo V5.0
LiveTwin Industrial Edge app (6AV2170-0BL00-0AA0)
SIMATIC WinCC V8.0
AI Model Deployer
TIA Administrator
SIMATIC WinCC Runtime Professional V19

Timeline

  • Sep 10, 2024 CVE Published
  • May 6, 2025 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›