CVE-2024-49775
Published: 16 December 2024
Summary
CVE-2024-49775 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A heap-based buffer overflow vulnerability, tracked as CVE-2024-49775 and assigned CWE-122, affects multiple Siemens industrial products including Opcenter Execution Foundation, Opcenter Intelligence, Opcenter Quality, Opcenter RDnL, SIMATIC PCS neo V4.0 through V5.0, SINEC NMS when used with UMC, and TIA Portal V16 through V19. The flaw resides in the integrated UMC component across all listed versions prior to the specified updates.
An unauthenticated remote attacker can exploit the issue over the network to execute arbitrary code, as reflected in the CVSS 9.3 rating that emphasizes no required authentication, user interaction, or special conditions.
The official Siemens advisory at https://cert-portal.siemens.com/productcert/html/ssa-928984.html addresses mitigation and patching guidance for the affected products. The associated EPSS score has remained flat at 0.0552 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43871
Vulnerability details
A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2501.0001), Opcenter Intelligence (All versions < V2501.0001), Opcenter Quality (All versions < V2512), Opcenter RDnL (All versions < V2410), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo…
more
V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions if operated in conjunction with UMC < V2.15), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.