Skip to main content

CVE-2023-32735: CWE-502: Deserialization of Untrusted Data in Siemens SIMATIC STEP 7 Safety V16

Medium
VulnerabilityCVE-2023-32735cvecve-2023-32735cwe-502
Published: Tue Jul 09 2024 (07/09/2024, 12:04:26 UTC)
Source: CVE
Vendor/Project: Siemens
Product: SIMATIC STEP 7 Safety V16

Description

A vulnerability has been identified in SIMATIC STEP 7 Safety V16 (All versions < V16 Update 7), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 7), SIMATIC STEP 7 Safety V18 (All versions < V18 Update 2), SIMATIC STEP 7 V16 (All versions < V16 Update 7), SIMATIC STEP 7 V17 (All versions < V17 Update 7), SIMATIC STEP 7 V18 (All versions < V18 Update 2), SIMATIC WinCC Unified V16 (All versions < V16 Update 7), SIMATIC WinCC Unified V17 (All versions < V17 Update 7), SIMATIC WinCC Unified V18 (All versions < V18 Update 2), SIMATIC WinCC V16 (All versions < V16.7), SIMATIC WinCC V17 (All versions < V17.7), SIMATIC WinCC V18 (All versions < V18 Update 2), SIMOCODE ES V16 (All versions < V16 Update 7), SIMOCODE ES V17 (All versions < V17 Update 7), SIMOCODE ES V18 (All versions < V18 Update 2), SIMOTION SCOUT TIA V5.4 SP1 (All versions), SIMOTION SCOUT TIA V5.4 SP3 (All versions), SIMOTION SCOUT TIA V5.5 SP1 (All versions), SINAMICS Startdrive V16 (All versions), SINAMICS Startdrive V17 (All versions), SINAMICS Startdrive V18 (All versions), SIRIUS Safety ES V17 (All versions < V17 Update 7), SIRIUS Safety ES V18 (All versions < V18 Update 2), SIRIUS Soft Starter ES V17 (All versions < V17 Update 7), SIRIUS Soft Starter ES V18 (All versions < V18 Update 2), Soft Starter ES V16 (All versions < V16 Update 7), TIA Portal Cloud V3.0 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing hardware configuration profiles. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300.

AI-Powered Analysis

AILast updated: 06/25/2025, 17:02:08 UTC

Technical Analysis

CVE-2023-32735 is a deserialization vulnerability (CWE-502) affecting multiple Siemens industrial automation software products, including SIMATIC STEP 7 Safety versions V16, V17, and V18 (prior to specified updates), SIMATIC WinCC Unified and WinCC versions V16 through V18, SIMOCODE ES, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, SIRIUS Soft Starter ES, Soft Starter ES, and TIA Portal Cloud V3.0 (prior to V18 Update 2). The vulnerability arises due to improper restrictions on the .NET BinaryFormatter during deserialization of hardware configuration profiles. BinaryFormatter is known to be insecure when deserializing untrusted data, as it can lead to type confusion and arbitrary code execution. In this context, an attacker with sufficient privileges could craft malicious serialized data that, when processed by the affected applications, triggers execution of arbitrary code within the application’s context. The vulnerability requires local access (AV:L), low attack complexity (AC:L), high privileges (PR:H), and user interaction (UI:R). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The CVSS 3.1 base score is 6.5, indicating a medium severity. No known exploits are currently reported in the wild. This vulnerability is critical in industrial control systems (ICS) environments where Siemens automation software is deployed, as it could allow attackers to manipulate control logic or disrupt operations by executing arbitrary code remotely or locally, depending on access. The issue is related to a well-known .NET deserialization weakness documented by Microsoft (CA2300).

Potential Impact

For European organizations, especially those operating critical infrastructure, manufacturing plants, or utilities relying on Siemens automation software, this vulnerability poses a significant risk. Exploitation could lead to unauthorized code execution within control system environments, potentially causing manipulation or disruption of industrial processes. This could result in operational downtime, safety hazards, data breaches, and financial losses. Given the high impact on confidentiality, integrity, and availability, attackers could alter control logic, disable safety mechanisms, or exfiltrate sensitive operational data. The requirement for high privileges and user interaction somewhat limits remote exploitation but insider threats or compromised user accounts could facilitate attacks. The broad range of affected Siemens products used extensively across European industries increases the attack surface. Additionally, disruption in industrial environments can have cascading effects on supply chains and critical services, amplifying the impact beyond the immediate target systems.

Mitigation Recommendations

1. Immediate application of Siemens-provided updates and patches for all affected products as soon as they become available is critical. Since no patch links are currently provided, organizations should monitor Siemens advisories closely. 2. Restrict access to systems running affected Siemens software to trusted administrators only, enforcing the principle of least privilege to reduce the risk of privilege abuse. 3. Implement strict network segmentation to isolate industrial control systems from corporate networks and external internet access, minimizing exposure to potential attackers. 4. Disable or restrict the use of .NET BinaryFormatter deserialization where possible, or replace it with safer serialization methods that do not allow arbitrary code execution. 5. Monitor logs and system behavior for unusual activity indicative of exploitation attempts, such as unexpected deserialization operations or unauthorized configuration changes. 6. Conduct regular security awareness training for personnel with access to these systems to reduce the risk of social engineering or inadvertent triggering of the vulnerability. 7. Employ application whitelisting and endpoint detection and response (EDR) solutions tailored for ICS environments to detect and block malicious code execution. 8. Review and harden user interaction workflows that involve deserialization of hardware configuration profiles to ensure only validated and trusted data is processed.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
siemens
Date Reserved
2023-05-12T13:16:47.721Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983ac4522896dcbed0d1

Added to database: 5/21/2025, 9:09:14 AM

Last enriched: 6/25/2025, 5:02:08 PM

Last updated: 7/26/2025, 4:50:39 AM

Views: 8

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats