CVE-2023-32737 is a deserialization vulnerability classified under CWE-502 affecting Siemens SIMATIC STEP 7 Safety V18 versions prior to Update 2. The vulnerability arises from improper restrictions on the .NET BinaryFormatter when deserializing user-controllable input. BinaryFormatter is known to be unsafe for deserializing untrusted data due to its ability to instantiate arbitrary types during deserialization, which can lead to type confusion and arbitrary code execution. In this case, the affected Siemens application does not adequately validate or restrict the input passed to BinaryFormatter, allowing an attacker with certain privileges to craft malicious serialized data that, when processed by the application, can execute arbitrary code within the context of the application. The CVSS v3.1 score is 6.3 (medium), reflecting that exploitation requires local access (AV:L), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R). The impact includes full compromise of confidentiality, integrity, and availability of the affected system. This vulnerability is particularly critical in industrial control system (ICS) environments where SIMATIC STEP 7 Safety is used for programming and configuring safety-related automation devices. Successful exploitation could lead to manipulation or disruption of safety functions, potentially causing physical damage or safety hazards. No known exploits are currently reported in the wild, but the underlying issue is a well-known risk associated with BinaryFormatter deserialization. Siemens has not yet published a patch at the time of this report, but Update 2 or later versions are expected to address this issue. Organizations using affected versions should prioritize mitigation to prevent exploitation.

For European organizations, especially those in manufacturing, energy, transportation, and critical infrastructure sectors that rely on Siemens SIMATIC STEP 7 Safety for safety-critical automation programming, this vulnerability poses a significant risk. Exploitation could allow attackers to execute arbitrary code on engineering workstations or servers running the vulnerable software, potentially leading to unauthorized changes in safety logic, disruption of automated safety functions, or sabotage of industrial processes. This can result in operational downtime, safety incidents, regulatory non-compliance, and reputational damage. Given the high privileges required and the need for user interaction, the threat is more likely to arise from insider threats or targeted attacks involving social engineering. However, the consequences of successful exploitation are severe due to the safety-critical nature of the systems involved. The vulnerability could also be leveraged as a foothold for lateral movement within industrial networks, increasing the risk of broader ICS compromise. European organizations operating in sectors regulated by strict safety and cybersecurity standards (e.g., IEC 62443, NIS Directive) must consider this vulnerability a priority for risk management and compliance.

1. Upgrade to SIMATIC STEP 7 Safety V18 Update 2 or later as soon as Siemens releases the patch to address this vulnerability. 2. Until patching is possible, restrict access to engineering workstations and servers running the affected software to trusted personnel only, minimizing the risk of malicious input. 3. Implement strict network segmentation and access controls to isolate ICS engineering environments from general IT networks and the internet. 4. Employ application whitelisting and endpoint protection solutions capable of detecting anomalous process behavior indicative of exploitation attempts. 5. Educate users with access to the affected software about the risks of opening untrusted files or interacting with suspicious inputs to reduce the likelihood of social engineering exploitation. 6. Monitor logs and system behavior for unusual deserialization activity or unexpected process executions related to SIMATIC STEP 7 Safety. 7. Review and harden .NET application configurations where possible to disable or restrict BinaryFormatter usage or replace it with safer serialization methods. 8. Coordinate with Siemens support and subscribe to their security advisories for timely updates and guidance. These steps go beyond generic advice by focusing on controlling access, monitoring for exploitation signs, and preparing for patch deployment in an ICS context.