Login Sign Up

CVE-2018-4834

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to upload unauthorized firmware to Siemens Desigo building automation controllers without authentication. It affects multiple Desigo PXC and PXM series controllers with web modules enabled. Attackers with network access can completely compromise device functionality.

💻 Affected Systems

Products:
  • Siemens Desigo PXC00-E.D
  • Desigo PXC00/64/128-U
  • Desigo PXC001-E.D
  • Desigo PXC100-E.D
  • Desigo PXC12-E.D
  • Desigo PXC200-E.D
  • Desigo PXC22-E.D
  • Desigo PXC22.1-E.D
  • Desigo PXC36.1-E.D
  • Desigo PXC50-E.D
  • Desigo PXM20-E
Versions: V4.10 (all versions < V4.10.111), V5.00 (all versions < V5.0.171), V5.10 (all versions < V5.10.69), V6.00 (all versions < V6.0.204)
Operating Systems: Embedded controller firmware
Default Config Vulnerable: ⚠️ Yes
Notes: PXC00/64/128-U models only vulnerable with web module enabled. Other models vulnerable by default.

📦 What is this software?

Pxc00\/50\/100\/200 E.d Firmware by Siemens

View all CVEs affecting Pxc00\/50\/100\/200 E.d Firmware →

Pxc00\/64\/128 U Firmware by Siemens

View all CVEs affecting Pxc00\/64\/128 U Firmware →

Pxc001 E.d Firmware by Siemens

View all CVEs affecting Pxc001 E.d Firmware →

Pxc12\/22\/36 E.d Firmware by Siemens

View all CVEs affecting Pxc12\/22\/36 E.d Firmware →

Pxm20 E Firmware by Siemens

View all CVEs affecting Pxm20 E Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover with malicious firmware installation leading to building system disruption, data theft, or physical safety risks in critical infrastructure.

🟠

Likely Case

Unauthorized firmware modification enabling persistent backdoors, data exfiltration, or disruption of building automation systems.

🟢

If Mitigated

Limited to internal network attacks if proper segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - Direct internet exposure allows complete remote compromise without authentication.
🏢 Internal Only: HIGH - Even internal attackers can exploit this without credentials.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Authentication bypass makes exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V4.10.111, V5.0.171, V5.10.69, V6.0.204 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-824231.pdf

Restart Required: Yes

Instructions:

1. Download appropriate firmware update from Siemens support portal. 2. Backup current configuration. 3. Apply firmware update following Siemens documentation. 4. Verify successful update and restore configuration if needed.

🔧 Temporary Workarounds

Disable Web Module

all

Disable web interface on affected PXC00/64/128-U models to prevent remote exploitation.

Configure via Desigo CC or local interface to disable web module

Network Segmentation

all

Isolate Desigo controllers in separate VLAN with strict firewall rules.

Configure firewall to block all inbound traffic to Desigo controllers except from management stations

🧯 If You Can't Patch

  • Implement strict network segmentation with firewall rules blocking all unnecessary access
  • Disable web modules where possible and use local interfaces only

🔍 How to Verify

Check if Vulnerable:

Check firmware version via Desigo CC interface or local display. Compare against patched versions.

Check Version:

Use Desigo CC or access controller web interface to view firmware version

Verify Fix Applied:

Confirm firmware version shows V4.10.111, V5.0.171, V5.10.69, V6.0.204 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized firmware upload attempts
  • Unexpected firmware version changes
  • Authentication bypass attempts

Network Indicators:

  • HTTP POST requests to firmware upload endpoints without authentication
  • Unusual traffic to controller web interfaces

SIEM Query:

source_ip=* dest_ip=desigo_controller (http_method=POST AND uri_contains="firmware") AND NOT user_authenticated=true

📊 Metadata

CVE ID: CVE-2018-4834
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-306
Published: January 24, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-4834, you might also want to check these:

CVE-2019-11061 10.0

CVE-2019-11061 is a critical authentication bypass vulnerability in HG100 firmware that allows attac...

Same vulnerability type (CWE-306)
CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)