CVE-2024-44102 (CVSS 10) Found in Siemens TeleControl Server Basic: Urgent Update Required

by do son · November 12, 2024

CVE-2024-44102 - Siemens TeleControl Server Basic

A critical security vulnerability has been discovered in Siemens TeleControl Server Basic V3.1, a software solution used for remote monitoring and control of industrial plants. The vulnerability, identified as CVE-2024-44102 and assigned a CVSSv4 score of 10 (the highest severity rating), could allow an unauthenticated attacker to execute arbitrary code on affected devices, potentially leading to complete system compromise.

The vulnerability stems from insecure deserialization of user-supplied content. An attacker could exploit this flaw by sending a maliciously crafted serialized object to the server, triggering the execution of malicious code with SYSTEM privileges. This could grant the attacker full control over the affected system, enabling them to steal sensitive data, disrupt operations, or even cause physical damage to the plant.

Siemens has acknowledged the vulnerability and released updated versions of TeleControl Server Basic to address the issue. Users are strongly urged to update their systems to V3.1.2.1 or later as soon as possible.

In addition to updating to the latest version, Siemens recommends the following workarounds to reduce the risk:

Disable redundancy if not used: This reduces the attack surface by removing unnecessary components.
Restrict access to the affected systems to trusted IP addresses only: This limits the number of potential attackers who can reach the vulnerable system.

Siemens has credited Tenable for responsibly disclosing the vulnerability, allowing for a coordinated response and patch release.

Organizations using Siemens TeleControl Server Basic are urged to prioritize patching their systems immediately. The potential consequences of an attack are severe, and proactive measures are essential to safeguarding critical infrastructure.