Full Report
Versions V5.0 through V8 of the Desigo CC product family (Desigo CC, Desigo CC Compact, Desigo CC Connect, Cerberus DMS), as well as the Desigo CC-based SENTRON Powermanager, are affected by a vulnerability in the underlying third-party component WIBU Systems CodeMeter Runtime. Successful exploitation of this vulnerability could allow privilege escalation. Siemens has released instructions how to update the CodeMeter Runtime component and recommends to apply the update on affected systems.
Analysis Summary
# Vulnerability: Privilege Escalation in WIBU CodeMeter Runtime affecting Siemens Desigo CC and SENTRON Powermanager
## CVE Details
- **CVE ID:** CVE-2025-47809
- **CVSS Score:** 8.2 (High)
- **CVSS Vector:** CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- **CWE:** CWE-272: Least Privilege Violation
## Affected Systems
- **Products:**
- Desigo CC Product Family (Desigo CC, Desigo CC Compact, Desigo CC Connect, Cerberus DMS)
- SENTRON Powermanager
- **Versions:**
- Desigo CC Family: V5.0, V5.1, V6, V7 (all versions); V8 (versions prior to V8.0 QU2)
- SENTRON Powermanager: V5, V6, V7, V8 (all versions)
- **Configurations:** Systems where the third-party **WIBU Systems CodeMeter Runtime** (Control Center component) is installed.
## Vulnerability Description
A privilege escalation vulnerability exists in the WIBU CodeMeter Runtime (versions prior to 8.30a). The flaw occurs immediately after an unprivileged installation via User Account Control (UAC) but before a system logoff or reboot. If the CodeMeter Control Center component has not been restarted, a local user can navigate through the "Import License" interface to launch a privileged instance of Windows Explorer, effectively bypassing standard permission boundaries.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild; advisory based on third-party component flaw.
- **Complexity:** Low
- **Attack Vector:** Local (Requires local access to the machine following a specific installation state).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Scope:** Changed (The vulnerability allows an attacker to impact components beyond the initial security scope of the application).
## Remediation
### Patches
Siemens recommends updating the underlying WIBU CodeMeter component:
1. **Uninstall** the existing version of CodeMeter via the Control Panel.
2. **Install** WIBU CodeMeter User Runtime **V8.30a** or later (e.g., V8.40).
3. **Restart** the client/server machine after installation.
**Specific Product Updates:**
- **Desigo CC V8:** Update to **V8.0 QU2** or later.
### Workarounds
- **Reboot/Logoff:** Ensure the system is rebooted or the user has logged off and back on immediately following the installation of CodeMeter to close the window of exploitability.
- **General Mitigation:** Restrict physical and local access to critical management stations.
## Detection
- **Indicators of Compromise:** Unauthorized instances of Windows Explorer running with SYSTEM or Administrative privileges originating from the CodeMeter process (`CodeMeterCC.exe`).
- **Detection Methods:** Monitor for "Import License" dialogue interactions in CodeMeter Control Center on systems that have not been rebooted since the last software update.
## References
- **Siemens Advisory (SSA-201595):** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-201595.pdf
- **WIBU Systems Advisory (WIBU-100120):** hxxps://www.wibu[.]com/support/security-advisories/wibu-100120.html
- **WIBU Download Portal:** hxxps://www.wibu[.]com/us/support/user/downloads-user-software.html
- **Siemens Support (Desigo CC V8.0 QU2):** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109997962/