CVE-2023-32735: CWE-502: Deserialization of Untrusted Data in Siemens SIMATIC STEP 7 Safety V16
A vulnerability has been identified in SIMATIC STEP 7 Safety V16 (All versions < V16 Update 7), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 7), SIMATIC STEP 7 Safety V18 (All versions < V18 Update 2), SIMATIC STEP 7 V16 (All versions < V16 Update 7), SIMATIC STEP 7 V17 (All versions < V17 Update 7), SIMATIC STEP 7 V18 (All versions < V18 Update 2), SIMATIC WinCC Unified V16 (All versions < V16 Update 7), SIMATIC WinCC Unified V17 (All versions < V17 Update 7), SIMATIC WinCC Unified V18 (All versions < V18 Update 2), SIMATIC WinCC V16 (All versions < V16.7), SIMATIC WinCC V17 (All versions < V17.7), SIMATIC WinCC V18 (All versions < V18 Update 2), SIMOCODE ES V16 (All versions < V16 Update 7), SIMOCODE ES V17 (All versions < V17 Update 7), SIMOCODE ES V18 (All versions < V18 Update 2), SIMOTION SCOUT TIA V5.4 SP1 (All versions), SIMOTION SCOUT TIA V5.4 SP3 (All versions), SIMOTION SCOUT TIA V5.5 SP1 (All versions), SINAMICS Startdrive V16 (All versions), SINAMICS Startdrive V17 (All versions), SINAMICS Startdrive V18 (All versions), SIRIUS Safety ES V17 (All versions < V17 Update 7), SIRIUS Safety ES V18 (All versions < V18 Update 2), SIRIUS Soft Starter ES V17 (All versions < V17 Update 7), SIRIUS Soft Starter ES V18 (All versions < V18 Update 2), Soft Starter ES V16 (All versions < V16 Update 7), TIA Portal Cloud V3.0 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing hardware configuration profiles. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300.
AI Analysis
Technical Summary
CVE-2023-32735 is a deserialization vulnerability (CWE-502) affecting multiple Siemens industrial automation software products, including SIMATIC STEP 7 Safety versions V16, V17, and V18 (prior to specified updates), SIMATIC WinCC Unified and WinCC versions V16 through V18, SIMOCODE ES, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, SIRIUS Soft Starter ES, Soft Starter ES, and TIA Portal Cloud V3.0 (prior to V18 Update 2). The vulnerability arises due to improper restrictions on the .NET BinaryFormatter during deserialization of hardware configuration profiles. BinaryFormatter is known to be insecure when deserializing untrusted data, as it can lead to type confusion and arbitrary code execution. In this context, an attacker with sufficient privileges could craft malicious serialized data that, when processed by the affected applications, triggers execution of arbitrary code within the application’s context. The vulnerability requires local access (AV:L), low attack complexity (AC:L), high privileges (PR:H), and user interaction (UI:R). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The CVSS 3.1 base score is 6.5, indicating a medium severity. No known exploits are currently reported in the wild. This vulnerability is critical in industrial control systems (ICS) environments where Siemens automation software is deployed, as it could allow attackers to manipulate control logic or disrupt operations by executing arbitrary code remotely or locally, depending on access. The issue is related to a well-known .NET deserialization weakness documented by Microsoft (CA2300).
Potential Impact
For European organizations, especially those operating critical infrastructure, manufacturing plants, or utilities relying on Siemens automation software, this vulnerability poses a significant risk. Exploitation could lead to unauthorized code execution within control system environments, potentially causing manipulation or disruption of industrial processes. This could result in operational downtime, safety hazards, data breaches, and financial losses. Given the high impact on confidentiality, integrity, and availability, attackers could alter control logic, disable safety mechanisms, or exfiltrate sensitive operational data. The requirement for high privileges and user interaction somewhat limits remote exploitation but insider threats or compromised user accounts could facilitate attacks. The broad range of affected Siemens products used extensively across European industries increases the attack surface. Additionally, disruption in industrial environments can have cascading effects on supply chains and critical services, amplifying the impact beyond the immediate target systems.
Mitigation Recommendations
1. Immediate application of Siemens-provided updates and patches for all affected products as soon as they become available is critical. Since no patch links are currently provided, organizations should monitor Siemens advisories closely. 2. Restrict access to systems running affected Siemens software to trusted administrators only, enforcing the principle of least privilege to reduce the risk of privilege abuse. 3. Implement strict network segmentation to isolate industrial control systems from corporate networks and external internet access, minimizing exposure to potential attackers. 4. Disable or restrict the use of .NET BinaryFormatter deserialization where possible, or replace it with safer serialization methods that do not allow arbitrary code execution. 5. Monitor logs and system behavior for unusual activity indicative of exploitation attempts, such as unexpected deserialization operations or unauthorized configuration changes. 6. Conduct regular security awareness training for personnel with access to these systems to reduce the risk of social engineering or inadvertent triggering of the vulnerability. 7. Employ application whitelisting and endpoint detection and response (EDR) solutions tailored for ICS environments to detect and block malicious code execution. 8. Review and harden user interaction workflows that involve deserialization of hardware configuration profiles to ensure only validated and trusted data is processed.
Affected Countries
Germany, France, Italy, United Kingdom, Spain, Netherlands, Belgium, Poland, Czech Republic, Sweden
CVE-2023-32735: CWE-502: Deserialization of Untrusted Data in Siemens SIMATIC STEP 7 Safety V16
Description
A vulnerability has been identified in SIMATIC STEP 7 Safety V16 (All versions < V16 Update 7), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 7), SIMATIC STEP 7 Safety V18 (All versions < V18 Update 2), SIMATIC STEP 7 V16 (All versions < V16 Update 7), SIMATIC STEP 7 V17 (All versions < V17 Update 7), SIMATIC STEP 7 V18 (All versions < V18 Update 2), SIMATIC WinCC Unified V16 (All versions < V16 Update 7), SIMATIC WinCC Unified V17 (All versions < V17 Update 7), SIMATIC WinCC Unified V18 (All versions < V18 Update 2), SIMATIC WinCC V16 (All versions < V16.7), SIMATIC WinCC V17 (All versions < V17.7), SIMATIC WinCC V18 (All versions < V18 Update 2), SIMOCODE ES V16 (All versions < V16 Update 7), SIMOCODE ES V17 (All versions < V17 Update 7), SIMOCODE ES V18 (All versions < V18 Update 2), SIMOTION SCOUT TIA V5.4 SP1 (All versions), SIMOTION SCOUT TIA V5.4 SP3 (All versions), SIMOTION SCOUT TIA V5.5 SP1 (All versions), SINAMICS Startdrive V16 (All versions), SINAMICS Startdrive V17 (All versions), SINAMICS Startdrive V18 (All versions), SIRIUS Safety ES V17 (All versions < V17 Update 7), SIRIUS Safety ES V18 (All versions < V18 Update 2), SIRIUS Soft Starter ES V17 (All versions < V17 Update 7), SIRIUS Soft Starter ES V18 (All versions < V18 Update 2), Soft Starter ES V16 (All versions < V16 Update 7), TIA Portal Cloud V3.0 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing hardware configuration profiles. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300.
AI-Powered Analysis
Technical Analysis
CVE-2023-32735 is a deserialization vulnerability (CWE-502) affecting multiple Siemens industrial automation software products, including SIMATIC STEP 7 Safety versions V16, V17, and V18 (prior to specified updates), SIMATIC WinCC Unified and WinCC versions V16 through V18, SIMOCODE ES, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, SIRIUS Soft Starter ES, Soft Starter ES, and TIA Portal Cloud V3.0 (prior to V18 Update 2). The vulnerability arises due to improper restrictions on the .NET BinaryFormatter during deserialization of hardware configuration profiles. BinaryFormatter is known to be insecure when deserializing untrusted data, as it can lead to type confusion and arbitrary code execution. In this context, an attacker with sufficient privileges could craft malicious serialized data that, when processed by the affected applications, triggers execution of arbitrary code within the application’s context. The vulnerability requires local access (AV:L), low attack complexity (AC:L), high privileges (PR:H), and user interaction (UI:R). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The CVSS 3.1 base score is 6.5, indicating a medium severity. No known exploits are currently reported in the wild. This vulnerability is critical in industrial control systems (ICS) environments where Siemens automation software is deployed, as it could allow attackers to manipulate control logic or disrupt operations by executing arbitrary code remotely or locally, depending on access. The issue is related to a well-known .NET deserialization weakness documented by Microsoft (CA2300).
Potential Impact
For European organizations, especially those operating critical infrastructure, manufacturing plants, or utilities relying on Siemens automation software, this vulnerability poses a significant risk. Exploitation could lead to unauthorized code execution within control system environments, potentially causing manipulation or disruption of industrial processes. This could result in operational downtime, safety hazards, data breaches, and financial losses. Given the high impact on confidentiality, integrity, and availability, attackers could alter control logic, disable safety mechanisms, or exfiltrate sensitive operational data. The requirement for high privileges and user interaction somewhat limits remote exploitation but insider threats or compromised user accounts could facilitate attacks. The broad range of affected Siemens products used extensively across European industries increases the attack surface. Additionally, disruption in industrial environments can have cascading effects on supply chains and critical services, amplifying the impact beyond the immediate target systems.
Mitigation Recommendations
1. Immediate application of Siemens-provided updates and patches for all affected products as soon as they become available is critical. Since no patch links are currently provided, organizations should monitor Siemens advisories closely. 2. Restrict access to systems running affected Siemens software to trusted administrators only, enforcing the principle of least privilege to reduce the risk of privilege abuse. 3. Implement strict network segmentation to isolate industrial control systems from corporate networks and external internet access, minimizing exposure to potential attackers. 4. Disable or restrict the use of .NET BinaryFormatter deserialization where possible, or replace it with safer serialization methods that do not allow arbitrary code execution. 5. Monitor logs and system behavior for unusual activity indicative of exploitation attempts, such as unexpected deserialization operations or unauthorized configuration changes. 6. Conduct regular security awareness training for personnel with access to these systems to reduce the risk of social engineering or inadvertent triggering of the vulnerability. 7. Employ application whitelisting and endpoint detection and response (EDR) solutions tailored for ICS environments to detect and block malicious code execution. 8. Review and harden user interaction workflows that involve deserialization of hardware configuration profiles to ensure only validated and trusted data is processed.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- siemens
- Date Reserved
- 2023-05-12T13:16:47.721Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983ac4522896dcbed0d1
Added to database: 5/21/2025, 9:09:14 AM
Last enriched: 6/25/2025, 5:02:08 PM
Last updated: 7/26/2025, 4:50:39 AM
Views: 8
Related Threats
CVE-2025-8839: Improper Authorization in jshERP
MediumCVE-2025-8862: CWE-201 Insertion of Sensitive Information Into Sent Data in YugabyteDB Inc YugabyteDB
HighCVE-2025-8846: Stack-based Buffer Overflow in NASM Netwide Assember
MediumCVE-2025-8845: Stack-based Buffer Overflow in NASM Netwide Assember
MediumCVE-2025-8844: NULL Pointer Dereference in NASM Netwide Assember
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.