Siemens Engineering Platforms Session-Memory Deserialization Vulnerability (SSA-871035)

### Key Information #### Vulnerability Description - **Vulnerability ID**: SSA-871035 - **Vulnerability Name**: Session-Memory Deserialization Vulnerability - **Affected Products**: Siemens Engineering Platforms Before V19 - **Release Date**: 2024-11-12 - **Update Date**: 2024-11-12 - **Current Version**: V1.0 - **CVSS v3.1 Base Score**: 7.3 - **CVSS v4.0 Base Score**: 7.0 #### Impact Scope - The affected products do not properly handle user-controllable input during file parsing. This could allow an attacker to cause type confusion and execute arbitrary code. #### Solution - Siemens has released new versions of multiple affected products and recommends updating to the latest version. - Siemens is preparing further fix versions and recommends applying mitigations for products where fixes are not yet available or not yet released. #### Workarounds and Mitigations - **CVE-2023-32736**: Avoid opening untrusted files from unknown sources in affected products. #### General Security Recommendations - Siemens strongly recommends protecting network access to devices. - Configure the environment in accordance with Siemens’ Industrial Security Operational Guidelines (download: ). - Follow recommendations in the product manual. #### Product Description - Describes the functionality and features of the affected products. #### Additional Information - Provides contact information for further inquiries regarding security vulnerabilities in Siemens products and solutions. #### Historical Data - Version 1.0 (2024-11-12): Release date #### Terms of Use - Terms and conditions for using Siemens security advisories can be found at .

Goal Reached Thanks to every supporter — we hit 100%!

Siemens Engineering Platforms Session-Memory Deserialization Vulnerability (SSA-871035)