Full Report
WIBU Systems published information about a privilege escalation vulnerability under a certain circumstances and associated fix releases of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens industrial products. Siemens has released new versions for affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Privilege Escalation in WIBU CodeMeter Runtime Affecting Siemens Products
## CVE Details
- **CVE ID:** CVE-2025-47809
- **CVSS Score:** 8.2 (High)
- **CWE:** CWE-272: Least Privilege Violation
## Affected Systems
- **Products:**
- SIMATIC PDM Maintenance Station V5.0
- SIMATIC WinCC OA (V3.18, V3.19, V3.20)
- WIBU CodeMeter Runtime (integrated into the above products)
- **Versions:**
- SIMATIC PDM Maintenance Station V5.0: All versions
- SIMATIC WinCC OA V3.18: All versions prior to V3.18 P032
- SIMATIC WinCC OA V3.19: All versions prior to V3.19 P020
- SIMATIC WinCC OA V3.20: All versions prior to V3.20 P008
- WIBU CodeMeter: Versions prior to 8.30a
- **Configurations:** The vulnerability is active specifically after installation but **before** a logoff or reboot occurs.
## Vulnerability Description
A privilege escalation flaw exists in the WIBU CodeMeter Runtime during a specific window following installation. If an unprivileged user performs an installation using User Account Control (UAC) elevation, the CodeMeter Control Center component may inherit or retain elevated permissions. A local user can then navigate through the "Import License" interface to launch a privileged instance of Windows Explorer, effectively gaining unauthorized administrative access to the system.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild; PoC details describe a specific UI navigation path.
- **Complexity:** Low
- **Attack Vector:** Local (Requires local access to the machine post-installation).
## Impact
- **Confidentiality:** High (Full access to system files via privileged Explorer)
- **Integrity:** High (Ability to modify system-level files and configurations)
- **Availability:** High (Potential to delete or corrupt critical system components)
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **SIMATIC WinCC OA V3.18:** Update to V3.18 P032 or later.
- **SIMATIC WinCC OA V3.19:** Update to V3.19 P020 or later.
- **SIMATIC WinCC OA V3.20:** Update to V3.20 P008 or later.
- **WIBU CodeMeter:** Ensure CodeMeter Runtime is version 8.30a or later.
*Note: For SIMATIC PDM Maintenance Station V5.0, a fix is currently unavailable.*
### Workarounds
- **Immediate Reboot:** Perform a system reboot or logoff/logon immediately after installing affected software to terminate the vulnerable process state.
- **Restrict Access:** Limit local access to systems during and immediately after software installation/update procedures.
- **UAC Best Practices:** Ensure only trusted administrators perform installations and monitor for unusual child processes originating from CodeMeter components.
## Detection
- **Indicators of Compromise:** Presence of `explorer.exe` running with SYSTEM or elevated Administrative privileges triggered by `CodeMeter.exe`.
- **Detection Methods:** Monitor endpoint logs for unauthorized execution of file management tools immediately following software installation windows.
## References
- Siemens Advisory SSA-331739: hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-331739.pdf
- WIBU Systems Security Advisory WIBU-100120: hxxps://www.wibu[.]com/support/security-advisories/wibu-100120.html
- Siemens Operational Guidelines: hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security