CVE-2023-43625
📋 TL;DR
CVE-2023-43625 is a critical remote code execution vulnerability in Simcenter Amesim's SOAP endpoint. Unauthenticated remote attackers can perform DLL injection to execute arbitrary code with the application's privileges. All Simcenter Amesim versions before V2021.1 are affected.
💻 Affected Systems
- Simcenter Amesim
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or disrupt industrial operations.
Likely Case
Ransomware deployment, data exfiltration, or establishing persistent backdoors in industrial environments.
If Mitigated
Limited impact if network segmentation prevents external access and proper endpoint protection is in place.
🎯 Exploit Status
The vulnerability requires no authentication and has a straightforward exploitation path via DLL injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V2021.1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-386812.pdf
Restart Required: Yes
Instructions:
1. Download Simcenter Amesim V2021.1 or later from Siemens support portal. 2. Backup current configuration and data. 3. Install the updated version following Siemens installation guide. 4. Restart the system and verify the new version is running.
🔧 Temporary Workarounds
Network Segmentation
allBlock external access to Simcenter Amesim SOAP endpoints using firewall rules.
netsh advfirewall firewall add rule name="Block Amesim SOAP" dir=in action=block protocol=TCP localport=8080
iptables -A INPUT -p tcp --dport 8080 -j DROP
Application Whitelisting
windowsRestrict DLL loading to prevent unauthorized DLL injection.
Configure Windows AppLocker or equivalent to only allow signed DLLs from trusted publishers
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Simcenter Amesim systems from untrusted networks
- Deploy endpoint detection and response (EDR) solutions to monitor for DLL injection attempts
🔍 How to Verify
Check if Vulnerable:
Check Simcenter Amesim version via Help > About in the application interface or examine installation directory version files.Check Version:
On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Siemens\Simcenter Amesim\Version. On Linux: Check /opt/siemens/simcenter_amesim/version.txtVerify Fix Applied:
Confirm version is V2021.1 or later and test SOAP endpoint functionality with security scanning tools.📡 Detection & Monitoring
Log Indicators:
- Unusual DLL loading events in Windows Event Logs
- Failed authentication attempts to SOAP endpoints
- Process creation from Simcenter Amesim with unusual command lines
Network Indicators:
- Unusual SOAP requests to Simcenter Amesim ports
- External IP addresses accessing internal Amesim services
- Unexpected outbound connections from Amesim processes
SIEM Query:
source="windows" EventID=7 OR EventID=11 process_name="*amesim*" OR parent_process="*amesim*"