The vulnerability identified as CVE-2024-39601 affects Siemens CPCI85 Central Processing/Communication units and SICORE Base systems in versions prior to V5.40 and V1.4.0 respectively. It is classified under CWE-306, indicating missing authentication for a critical function—in this case, the firmware downgrade process. The affected devices allow either a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware to older versions. Firmware downgrading is a sensitive operation typically protected by authentication mechanisms to prevent rollback to insecure versions. The absence of such controls enables attackers to revert devices to firmware versions with known vulnerabilities, potentially exposing the system to exploitation vectors that have been previously mitigated. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the high impact on integrity due to unauthorized firmware modification, with network attack vector and low attack complexity. The vulnerability does not impact confidentiality or availability directly but compromises device integrity. No user interaction is required, and the scope remains unchanged as the attack affects the vulnerable device only. Although no exploits are publicly known, the risk is significant given the critical nature of industrial control systems in operational technology environments. Siemens has not yet provided patch links, but upgrading to versions V5.40 or later for CPCI85 and V1.4.0 or later for SICORE Base is necessary to remediate the issue.

For European organizations, particularly those operating critical infrastructure and industrial automation systems, this vulnerability poses a significant risk. Siemens CPCI85 and SICORE Base systems are commonly deployed in manufacturing, energy, transportation, and utilities sectors across Europe. An attacker exploiting this flaw could downgrade firmware to versions with known security weaknesses, enabling further compromise such as unauthorized control, data manipulation, or disruption of industrial processes. This undermines system integrity and could lead to operational disruptions or safety hazards. The ability for unauthenticated physical access exploitation increases risk in environments with less stringent physical security. The impact is heightened in sectors where Siemens equipment is integral to control systems, potentially affecting supply chains and national infrastructure resilience. The medium CVSS score suggests moderate urgency, but the critical nature of affected systems elevates the practical impact. Organizations may face regulatory and compliance consequences if such vulnerabilities are exploited, especially under EU cybersecurity directives like NIS2.

1. Immediately upgrade Siemens CPCI85 devices to firmware version V5.40 or later and SICORE Base systems to V1.4.0 or later once patches are available. 2. Implement strict physical security controls to prevent unauthorized access to devices, including locked cabinets and restricted access zones. 3. Enforce network segmentation and access control lists to limit network exposure of these devices, allowing only trusted and authenticated users to communicate with them. 4. Monitor firmware versions actively and audit device configurations regularly to detect unauthorized downgrades. 5. Deploy intrusion detection systems tailored for industrial control environments to identify anomalous activities related to firmware management. 6. Train operational technology personnel on the risks of firmware downgrades and the importance of applying security updates promptly. 7. Collaborate with Siemens support and subscribe to their security advisories for timely updates and guidance. 8. Consider implementing additional authentication layers or compensating controls if firmware downgrade functionality cannot be disabled immediately.