IM
IronMonkey Threat Research
‹ Back to ICS Advisories

SSA-693808: Deserialization Vulnerability in Siemens Engineering Platforms

HIGH
CVSS 8.2
Date 2026-06-09T00:00:00+00:00
Source siemens-productcert
Published by Siemens ProductCERT

// Description

Affected products do not properly restrict access permissions to a local Windows Named Pipe and do not properly sanitize user-controllable input sent to that Named Pipe. This could allow a local authenticated attacker to cause a type confusion and execute arbitrary code within the affected application and its privileges. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2024-54678 8.2 high
CVE-2024-54678. Affected products do not properly sanitize Interprocess Communication input received through a Windows Named Pipe accessible to all local users. This could allow an authenticated local attacker to cause a type confusion and execute arbitrary code within the affected application.

// Affected Products (22)

Vendor Product Asset Type Purdue Level Firmware
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown hmi
L2
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown plc
L1
--
Siemens Unknown hmi
L2
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown hmi
L2
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown hmi
L2
--
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown engineering_workstation
L3
--

// Remediations (19)

Patch: Fixed with V5.2.2.2, no user action required
Fixed with V5.2.2.2, no user action required
Mitigation: On Desktop systems: Execute affected software on Windows hosts where only a single user is configure
On Desktop systems: Execute affected software on Windows hosts where only a single user is configured
Patch: Fixed with V5.2.1.1, no user action required
Fixed with V5.2.1.1, no user action required
Patch: Update to V5.6 SP1 HF7 or later version
Update to V5.6 SP1 HF7 or later version
Patch: Update to V17 Update 9 or later version
Update to V17 Update 9 or later version
Patch: Update to V6.0 SP1 Update 1 or later version
Update to V6.0 SP1 Update 1 or later version
Patch: https://support.industry.siemens.com/cs/ww/en/view/109784441/
https://support.industry.siemens.com/cs/ww/en/view/109784441/
Patch: Update to V19 Update 4 or later version
Update to V19 Update 4 or later version
Patch: https://support.industry.siemens.com/cs/ww/en/view/109817218/
https://support.industry.siemens.com/cs/ww/en/view/109817218/
Mitigation: On Server systems: Reduce the access on operating system level to administrators only
On Server systems: Reduce the access on operating system level to administrators only
Patch: Update to V20 Update 4 or later version
Update to V20 Update 4 or later version
Mitigation: On Server systems: Reduce the access on operating system level to administrators only
On Server systems: Reduce the access on operating system level to administrators only
Patch: Fixed with V5.2.2.2, no user action required
Fixed with V5.2.2.2, no user action required
Patch: Fixed with V5.2.1.1, no user action required
Fixed with V5.2.1.1, no user action required
Patch: Update to V19 Update 4 or later version
Update to V19 Update 4 or later version
Patch: Update to V17 Update 9 or later version
Update to V17 Update 9 or later version
Patch: Update to V5.6 SP1 HF7 or later version
Update to V5.6 SP1 HF7 or later version
Patch: Update to V20 Update 4 or later version
Update to V20 Update 4 or later version
Mitigation: On Desktop systems: Execute affected software on Windows hosts where only a single user is configure
On Desktop systems: Execute affected software on Windows hosts where only a single user is configured

// References