ICSA-25-231-02 — Vulnetix

ICSA-25-231-02 PUBLISHED CVSS 8.199999809265137 HIGH

Versions V5.0 through V8 of the Desigo CC product family (Desigo CC, Desigo CC Compact, Desigo CC Connect, Cerberus DMS), as well as the Desigo CC-based SENTRON Powermanager, are affected by a vulnerability in the underlying third-party component WIBU Systems CodeMeter Runtime. Successful exploitation of this vulnerability could allow privilege escalation. Siemens has released instructions how to update the CodeMeter Runtime component and recommends to apply the update on affected systems.

Risk Scores

CVSS v3.1

8.199999809265137

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
	Desigo CC family V5.0
	Desigo CC family V5.1
	SENTRON Powermanager V5
	Desigo CC family V7
	SENTRON Powermanager V8
	SENTRON Powermanager V6
	Desigo CC family V8
	Desigo CC family V6
	SENTRON Powermanager V7

Timeline

Aug 14, 2025 CVE Published
Mar 12, 2026 CVE Updated

References

https://cert-portal.siemens.com/productcert/csaf/ssa-201595.json advisory
https://cert-portal.siemens.com/productcert/html/ssa-201595.html advisory
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-231-02.json advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-25-231-02 advisory
https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01 url
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices url
https://www.cisa.gov/topics/industrial-control-systems url
https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf url
https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf url
https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b url
https://support.industry.siemens.com/cs/ww/en/view/109997962/ fix
https://support.industry.siemens.com/cs/ww/en/view/109771760/ fix

Open in Interactive Console →