CVE-2024-45386
📋 TL;DR
This vulnerability allows session hijacking in Siemens industrial control software. An attacker who obtains a valid session token can reuse it even after the legitimate user logs out. Affected products include SIMATIC PCS neo, SIMOCODE ES, SIRIUS Safety ES, SIRIUS Soft Starter ES, and TIA Administrator.
💻 Affected Systems
- SIMATIC PCS neo V4.0
- SIMATIC PCS neo V4.1
- SIMATIC PCS neo V5.0
- SIMOCODE ES V19
- SIRIUS Safety ES V19 (TIA Portal)
- SIRIUS Soft Starter ES V19 (TIA Portal)
- TIA Administrator
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains persistent unauthorized access to industrial control systems, potentially manipulating processes, stealing sensitive data, or causing operational disruption.
Likely Case
Session hijacking leads to unauthorized access with the privileges of the compromised user, allowing data theft or limited system manipulation.
If Mitigated
With network segmentation and strict access controls, impact is limited to isolated systems with minimal critical exposure.
🎯 Exploit Status
Exploitation requires obtaining a valid session token through other means (e.g., network sniffing, XSS).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SIMATIC PCS neo V4.1 Update 2, SIMATIC PCS neo V5.0 Update 1, SIMOCODE ES V19 Update 1, SIRIUS Safety ES V19 Update 1, SIRIUS Soft Starter ES V19 Update 1, TIA Administrator V3.0.4
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-342348.html
Restart Required: No
Instructions:
1. Identify affected products and versions. 2. Download updates from Siemens support portal. 3. Apply updates according to Siemens documentation. 4. Test in non-production environment first.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems from untrusted networks to reduce attack surface.
Session Timeout Reduction
allConfigure shorter session timeout values to limit token validity window.
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure.
- Monitor for unusual session activity and implement session revocation mechanisms.
🔍 How to Verify
Check if Vulnerable:
Check product version against affected versions list in Siemens advisory.Check Version:
Product-specific commands vary; consult Siemens documentation for version checking.Verify Fix Applied:
Verify installed version matches or exceeds patched versions listed in advisory.📡 Detection & Monitoring
Log Indicators:
- Multiple sessions from same token after logout
- Unusual access patterns from unexpected IPs
Network Indicators:
- Repeated use of same session token across multiple requests
SIEM Query:
Example: 'session_token re-use after logout event'