Login Sign Up

CVE-2019-13939

7.1 HIGH

📋 TL;DR

This vulnerability allows attackers to send specially crafted DHCP packets to change a device's IP address to an invalid value when the DHCP client is enabled. It affects multiple Siemens building automation and industrial control system products. The attack requires network access to the vulnerable device.

💻 Affected Systems

Products:
  • APOGEE MEC/MBC/PXC (P2)
  • APOGEE PXC Compact (BACnet)
  • APOGEE PXC Compact (P2 Ethernet)
  • APOGEE PXC Modular (BACnet)
  • APOGEE PXC Modular (P2 Ethernet)
  • Capital Embedded AR Classic 431-422
  • Capital Embedded AR Classic R20-11
  • Desigo PXC00-E.D
  • Desigo PXC00-U
  • Desigo PXC001-E.D
  • Desigo PXC100-E.D
  • Desigo PXC12-E.D
  • Desigo PXC128-U
  • Desigo PXC200-E.D
  • Desigo PXC22-E.D
  • Desigo PXC22.1-E.D
  • Desigo PXC36.1-E.D
  • Desigo PXC50-E.D
  • Desigo PXC64-U
  • Desigo PXM20-E
  • Nucleus NET
  • Nucleus ReadyStart V3
  • Nucleus Source Code
  • SIMOTICS CONNECT 400
  • TALON TC Compact (BACnet)
  • TALON TC Modular (BACnet)
Versions: Varies by product - see CVE description for specific version ranges
Operating Systems: Embedded systems running affected Siemens products
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability only exists when DHCP client is enabled on affected devices. Devices using static IP configuration are not vulnerable.

📦 What is this software?

Apogee Modular Building Controller Firmware by Siemens

View all CVEs affecting Apogee Modular Building Controller Firmware →

Apogee Modular Equiment Controller Firmware by Siemens

View all CVEs affecting Apogee Modular Equiment Controller Firmware →

Apogee Pxc Firmware by Siemens

View all CVEs affecting Apogee Pxc Firmware →

Capital Vstar by Siemens

View all CVEs affecting Capital Vstar →

Desigo Pxc Firmware by Siemens

View all CVEs affecting Desigo Pxc Firmware →

Desigo Pxc00 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc00 E.d Firmware →

Desigo Pxc00 U Firmware by Siemens

View all CVEs affecting Desigo Pxc00 U Firmware →

Desigo Pxc001 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc001 E.d Firmware →

Desigo Pxc12 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc12 E.d Firmware →

Desigo Pxc22 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc22 E.d Firmware →

Desigo Pxc22.1 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc22.1 E.d Firmware →

Desigo Pxc36.1 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc36.1 E.d Firmware →

Desigo Pxm20 Firmware by Siemens

View all CVEs affecting Desigo Pxm20 Firmware →

Desigopxc100 E.d Firmware by Siemens

View all CVEs affecting Desigopxc100 E.d Firmware →

Desigopxc128 U Firmware by Siemens

View all CVEs affecting Desigopxc128 U Firmware →

Desigopxc200 E.d Firmware by Siemens

View all CVEs affecting Desigopxc200 E.d Firmware →

Desigopxc50 E.d Firmware by Siemens

View all CVEs affecting Desigopxc50 E.d Firmware →

Desigopxc64 U Firmware by Siemens

View all CVEs affecting Desigopxc64 U Firmware →

Desigopxm20 E Firmware by Siemens

View all CVEs affecting Desigopxm20 E Firmware →

Nucleus Net by Siemens

View all CVEs affecting Nucleus Net →

Nucleus Readystart by Siemens

View all CVEs affecting Nucleus Readystart →

Nucleus Rtos by Siemens

View all CVEs affecting Nucleus Rtos →

Nucleus Safetycert by Siemens

View all CVEs affecting Nucleus Safetycert →

Nucleus Source Code by Siemens

View all CVEs affecting Nucleus Source Code →

Simotics Connect 400 Firmware by Siemens

View all CVEs affecting Simotics Connect 400 Firmware →

Talon Tc Firmware by Siemens

View all CVEs affecting Talon Tc Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Network disruption causing loss of connectivity to critical building automation or industrial control systems, potentially affecting HVAC, lighting, or other facility operations.

🟠

Likely Case

Temporary loss of network connectivity to affected devices requiring manual intervention to restore proper IP configuration.

🟢

If Mitigated

Minimal impact if devices are on isolated networks with proper DHCP server controls and network segmentation.

🌐 Internet-Facing: MEDIUM - Devices directly exposed to internet could be targeted, but attack requires DHCP client enabled and specific network conditions.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to disrupt operations of affected devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted DHCP packets to the vulnerable device's network interface. No authentication required if network access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by product - APOGEE P2: V2.8.19+, APOGEE BACnet: V3.5.3+, Desigo: V6.0.327+, Nucleus ReadyStart: V2017.02.3+, SIMOTICS: V0.3.0.330+

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-162506.html

Restart Required: Yes

Instructions:

1. Identify affected products and versions. 2. Download appropriate firmware updates from Siemens support portal. 3. Follow vendor-specific update procedures for each device type. 4. Verify successful update and proper device functionality.

🔧 Temporary Workarounds

Disable DHCP Client

all

Configure affected devices with static IP addresses instead of using DHCP

Network Segmentation

all

Isolate affected devices on separate VLANs with strict firewall rules limiting DHCP traffic

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate affected devices
  • Deploy network monitoring to detect anomalous DHCP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected version ranges in Siemens advisories. Verify if DHCP client is enabled.

Check Version:

Varies by product - typically accessed through device web interface or management software

Verify Fix Applied:

Confirm firmware version is updated to patched version. Test DHCP functionality to ensure proper IP assignment.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected IP address changes
  • DHCP error messages
  • Network connectivity loss logs

Network Indicators:

  • Unusual DHCP packet patterns
  • Multiple DHCP requests from single device
  • DHCP packets with malformed options

SIEM Query:

source="dhcp" AND (message="malformed" OR message="invalid" OR dest_ip="0.0.0.0" OR dest_ip="255.255.255.255")

📊 Metadata

CVE ID: CVE-2019-13939
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE: CWE-20
Published: January 16, 2020
Last Updated: June 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13939, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)