Login Sign Up

CVE-2021-44001

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through specially crafted PDF files in Siemens JT2Go and Teamcenter Visualization software. Attackers can exploit an out-of-bounds write in DL180pdfl.dll to execute arbitrary code with the privileges of the current process. All users of affected versions are at risk.

💻 Affected Systems

Products:
  • Siemens JT2Go
  • Siemens Teamcenter Visualization
Versions: All versions before V13.2.0.5
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in DL180pdfl.dll component used for PDF parsing.

📦 What is this software?

Jt2go by Siemens

View all CVEs affecting Jt2go →

Teamcenter Visualization by Siemens

View all CVEs affecting Teamcenter Visualization →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Malicious PDF files delivered via email or web downloads lead to remote code execution on vulnerable systems.

🟢

If Mitigated

Limited impact with proper application whitelisting, network segmentation, and user awareness training.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious PDF, but common in business environments.
🏢 Internal Only: HIGH - Internal users frequently share PDF files, making exploitation via phishing or file shares likely.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to open malicious PDF file. No authentication needed for the file parsing vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V13.2.0.5 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-595101.pdf

Restart Required: Yes

Instructions:

1. Download V13.2.0.5 or later from Siemens support portal. 2. Install update following vendor instructions. 3. Restart affected systems.

🔧 Temporary Workarounds

Disable PDF parsing

windows

Configure software to not use DL180pdfl.dll for PDF processing

Consult Siemens documentation for DLL disabling procedures

Application control

windows

Use Windows AppLocker or similar to restrict PDF file execution

New-AppLockerPolicy -RuleType Path -Action Deny -Path "*.pdf" -User Everyone

🧯 If You Can't Patch

  • Implement strict email filtering for PDF attachments
  • Use network segmentation to isolate vulnerable systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check software version in Help > About. If version is below V13.2.0.5, system is vulnerable.

Check Version:

Check application version via Help > About menu in the software interface

Verify Fix Applied:

Verify version is V13.2.0.5 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes from JT2Go or Teamcenter Visualization
  • Unexpected process creation from PDF viewer

Network Indicators:

  • Unusual outbound connections from affected software
  • PDF file downloads followed by suspicious activity

SIEM Query:

source="windows" AND (process_name="jt2go.exe" OR process_name="visview.exe") AND event_id=1000

📊 Metadata

CVE ID: CVE-2021-44001
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: December 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44001, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)