Full Report
SENTRON Powermanager and Desigo CC devices are not affected by a remote code execution vulnerability in Apache Tomcat that can be triggered via a partial PUT request due to a path equivalence issue. It could allow a remote attacker to execute arbitrary code, disclose sensitive information, or inject malicious content.
Analysis Summary
# Vulnerability: Path Equivalence Leading to RCE in Underlying Apache Tomcat (Not Affecting Siemens Products)
## CVE Details
- CVE ID: CVE-2025-24813
- CVSS Score: 9.8 (Critical)
- CWE: CWE-44: Path Equivalence: 'file.Name' (Internal Dot)
## Affected Systems
- Products: (The vulnerability *itself* affects Apache Tomcat, but Siemens explicitly states the following Siemens products are **NOT AFFECTED**):
- Siemens Desigo CC (All versions)
- Siemens SENTRON Powermanager (All versions)
- Versions: (Apache Tomcat versions vulnerable to CVE-2025-24813):
- 11.0.0-M1 through 11.0.2
- 10.1.0-M1 through 10.1.34
- 9.0.0.M1 through 9.0.98
- Configurations: (Conditions required for system exploitation, not met by Siemens products):
- Writes enabled for the default servlet (disabled by default in affected Siemens products).
- Support for partial PUT (enabled by default in Tomcat).
- For RCE: Application using Tomcat's file-based session persistence with the default storage location AND inclusion of a library for deserialization attacks.
## Vulnerability Description
CVE-2025-24813 is a Path Equivalence vulnerability in Apache Tomcat related to the 'file.Name' parameter (Internal Dot). This flaw could allow a remote, unauthenticated attacker to perform Remote Code Execution (RCE), disclose sensitive information, or inject malicious content into uploaded files.
The vulnerability could be triggered via a partial PUT request if multiple specific conditions were met, primarily that writes were enabled for the default servlet and specific file structures/session handling were in place.
**Siemens Assessment:** SENTRON Powermanager and Desigo CC are **not affected** because "Writes are not enabled for the Apache Tomcat default servlet and Tomcat's file-based session persistence is not used."
## Exploitation
- Status: PoC available (Implied, as the vulnerability detail describes conditions for exploitation)
- Complexity: Low (If conditions are met)
- Attack Vector: Network
## Impact
(Impact relates to the base CVE-2025-24813 without mitigating configurations):
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
(Patches listed for the underlying Apache Tomcat component):
- Upgrade Tomcat to versions: 11.0.3, 10.1.35, or 9.0.99.
### Workarounds
1. **General Security Recommendations:**
* Apply layered and redundant protection schemes.
* Protect network access using appropriate mechanisms (e.g., firewalls, segmentation, VPN).
* Configure the environment according to operational guidelines to ensure devices run in a protected IT environment.
2. **Siemens Specific (Implicit Mitigation):** The products resist exploitation because the default servlet writes are disabled and file-based session persistence is not used.
## Detection
Siemens recommends applying the provided security updates using corresponding tooling. General security recommendations provided focus on network hardening.
- Indicators of Compromise: (Not specified, but generally look for unusual write operations to web application directories or unexpected application behavior following an HTTP PUT request).
- Detection methods and tools: Investigate web server logs for suspicious PUT requests targeting default servlet/upload paths.
## References
- Vendor advisories: SSA-938066
- Relevant links - defanged:
- hxxps://cert-portal.siemens.com/productcert/html/ssa-938066.html
- hxxps://www.siemens.com/gridsecurity