PT-2025-6193 · Siemens · Simocode Es+4
Published
2025-02-11
·
Updated
2025-02-16
·
CVE-2024-45386
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
SIMATIC PCS neo versions V4.0 through V4.1 before Update 2
SIMATIC PCS neo versions V5.0 before Update 1
SIMOCODE ES versions V19 before Update 1
SIRIUS Safety ES versions V19 before Update 1
SIRIUS Soft Starter ES versions V19 before Update 1
TIA Administrator versions before V3.0.4
Description:
A vulnerability has been identified where affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.
Recommendations:
For SIMATIC PCS neo versions V4.0 through V4.1 before Update 2, update to V4.1 Update 2 or later.
For SIMATIC PCS neo versions V5.0 before Update 1, update to V5.0 Update 1 or later.
For SIMOCODE ES versions V19 before Update 1, update to V19 Update 1 or later.
For SIRIUS Safety ES versions V19 before Update 1, update to V19 Update 1 or later.
For SIRIUS Soft Starter ES versions V19 before Update 1, update to V19 Update 1 or later.
For TIA Administrator versions before V3.0.4, update to V3.0.4 or later.
As a temporary workaround, consider implementing additional session validation mechanisms to minimize the risk of exploitation.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simatic Pcs Neo
Simocode Es
Sirius Safety Es
Sirius Soft Starter Es
Tia Administrator