CVE-2024-56336

Critical

Published: 11 March 2025

Published

11 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56336 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

SI-7 requires integrity checks on software and firmware before execution, directly preventing malicious code injection or untrusted firmware loading via the unlocked bootloader.

CM-14 Signed Components good match

prevent

CM-14 enforces digital signature verification prior to installing or updating firmware, blocking untrusted firmware installation enabled by the unlocked bootloader.

SI-2 Flaw Remediation good match

preventrecover

SI-2 mandates timely flaw remediation, including applying Siemens' security advisory patches to lock the bootloader and address the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1542.001 System Firmware Stealth

Adversaries may modify system firmware to persist on systems.

attack.mitre.org →

Why these techniques?

The unlocked bootloader vulnerability enables remote unauthenticated network exploitation of the device for arbitrary code execution and untrusted firmware installation, directly mapping to T1190 for exploiting the exposed application/service and T1542.001 for replacing system firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). The affected device contains an unlocked bootloader. This security oversight enables attackers to inject…

malicious code, or install untrusted firmware. The intrinsic security features designed to protect against data manipulation and unauthorized access are compromised when the bootloader is not secured.

Deeper analysisAI

CVE-2024-56336 is a critical vulnerability affecting SINAMICS S200 drives in all versions with serial numbers beginning with SZVS8, SZVS9, SZVS0, or SZVSN and an FS number of 02. The issue stems from an unlocked bootloader (CWE-287: Improper Authentication), which bypasses intrinsic security features designed to prevent data manipulation and unauthorized access. This allows attackers to inject malicious code or install untrusted firmware, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers with network access to the device can exploit this vulnerability without authentication, privileges, or user interaction. Successful exploitation enables full compromise of the device, including high-impact confidentiality, integrity, and availability violations through arbitrary code execution or firmware replacement.

Siemens has published security advisory SSA-787280, available at https://cert-portal.siemens.com/productcert/html/ssa-787280.html, which provides details on mitigation and remediation steps for affected SINAMICS S200 drives.