CVE-2024-32741 (CVSS 10): Siemens SIMATIC CN 4100 Critical Vulnerability Exposed

Siemens, a global industrial automation leader, has issued a critical security advisory for its SIMATIC CN 4100 communication node, warning of severe vulnerabilities that could expose industrial control systems to malicious attacks.

Three Vulnerabilities Discovered

Security researchers Michael Klassen and Martin Floeck from the BASF Security Team have identified three significant flaws in the SIMATIC CN 4100:

1. CVE-2024-32740 (CVSS 9.8): Undocumented Users and Credentials: This vulnerability could allow attackers to gain unauthorized access to the device, both locally and remotely.
2. CVE-2024-32741 (CVSS 10): Hardcoded Root Password: The presence of a hardcoded password for the root user and boot loader leaves the device open to complete compromise if the password is cracked.
3. CVE-2024-32742 (CVSS 7.6): Unrestricted USB Port: This vulnerability allows attackers with physical access to boot a different operating system and gain full control of the device’s filesystem.

The Stakes Are High

The SIMATIC CN 4100 is a key component in many industrial control systems, making these vulnerabilities particularly concerning. Successful exploitation could lead to unauthorized access, data breaches, and even disruption of critical industrial processes.

Mitigation: Update Immediately

Siemens has released a new version of SIMATIC CN 4100 (V3.0) that addresses these vulnerabilities. All users are strongly urged to update their devices to this latest version as soon as possible.

For more details and specific instructions on updating the SIMATIC CN 4100, please refer to the official Siemens security advisory.