Full Report
COMOS is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code or cause denial of service condition, data infiltration or perform access control violations. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Siemens COMOS Leading to Code Execution and Data Loss
## CVE Details
- CVE ID: Multiple (CVE-2024-47875, CVE-2025-2783, CVE-2025-10148, CVE-2024-11053, CVE-2025-40800, CVE-2025-40801)
- CVSS Score: Up to 10.0 (CVSS v3.1) / 9.2 (CVSS v4.0) (Critical)
- CWE: Various, including Improper Certificate Validation (CWE-295) and predictable identifiers (CWE-340).
## Affected Systems
- Products: Siemens COMOS
- Versions:
- COMOS V10.4 (All versions < V10.4.5) - Certain web components affected by CVE-2024-47875.
- COMOS V10.4 (All versions < V10.4.5) - Affected by CVE-2025-2783.
- COMOS V10.4.5 (All versions < V10.4.5.0.2) - Affected by CVE-2025-10148 and CVE-2024-11053.
- COMOS V10.5 (All versions < V10.5.2) - Affected by CVE-2025-2783.
- COMOS V10.5 (All versions < V10.5.2 with COMOS Web) - Affected by CVE-2024-47875.
- COMOS V10.6 (All versions) - Affected by CVE-2025-40800, CVE-2025-40801, CVE-2024-11053, CVE-2025-10148.
- Configurations: Specific vulnerabilities target COMOS Web components.
## Vulnerability Description
This advisory covers a collection of vulnerabilities allowing for severe impact. Key technical issues detailed include:
1. **Improper Certificate Validation (CVE-2025-40800, CVE-2025-40801):** The IAM client and SALT SDK fail to validate server certificates during TLS connections to the authorization server, enabling Man-in-the-Middle (MITM) attacks to compromise connection confidentiality and integrity.
2. **Potential Credential Leak (CVE-2024-11053):** In specific curl configurations involving `.netrc` files and HTTP redirects, a password for one host could potentially be leaked to the machine hosting the redirected resource.
3. **Content Poisoning (CVE-2024-47875 - Implicit):** A vulnerability (likely related to HTTP handling) could allow an attacker to poison the cache of an involved proxy, serving malicious content to multiple users.
4. **Other Flaws:** Additional vulnerabilities (e.g., CVE-2025-2783, CVE-2025-10148) allow for arbitrary code execution, denial of service, data infiltration, or access control violations.
## Exploitation
- Status: Exploitation status specifically mentioned for high-severity CVEs is not detailed, but the comprehensive range suggests high potential for exploitation. CVE-2024-47875 (Content Poisoning) suggests network-based exploitation potential.
- Complexity: Varies depending on the specific CVE, ranging potentially from low (network-based DoS/Poisoning) to medium (MITM attacks).
- Attack Vector: Primarily **Network** for most listed issues (MITM, Web component flaws).
## Impact
- Confidentiality: High (Potential data infiltration, password leakage in specific situations).
- Integrity: High (Arbitrary code execution potential, cache poisoning leading to content modification).
- Availability: High (Potential for Denial of Service conditions).
## Remediation
### Patches
- **COMOS V10.4:** Update to **V10.4.5 or later** to address CVE-2024-47875 and CVE-2025-2783.
- **COMOS V10.4.5:** Contact customer support to receive patch and update information for CVE-2025-10148 and CVE-2024-11053.
- **COMOS V10.5:** Update to **V10.5.2 or later** to address CVE-2025-2783 and CVE-2024-47875.
- **COMOS V10.6:** Currently, **no fix is available** for the vulnerabilities affecting this version.
### Workarounds
- **General Mitigation:**
1. Protect network access to affected COMOS systems using appropriate mechanisms.
2. Configure the IT environment according to Siemens' operational guidelines for Industrial Security.
3. Follow recommendations in the product manuals.
## Detection
- Indicators of Compromise: Not explicitly provided in the summary, but suspicious activity related to TLS connection failures (due to lack of certificate validation) or unexpected proxy behavior (cache poisoning) should be investigated.
- Detection methods and tools: Monitor network traffic for connection attempts that bypass standard certificate trust mechanisms, particularly outbound connections from the IAM client or SALT SDK components.
## References
- Vendor Advisories: SSA-212953
- Relevant Links:
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories
- Siemens Industrial Security Information: hxxps://www.siemens.com/industrialsecurity
- Known Affected Products Details: hxxps://cert-portal.siemens.com/productcert/html/ssa-212953.html