Summary
A vulnerability was reported in Siemens TIA Portal. TIA Portal is part of the installation packages of several Festo Didactic products.
TP 260 before June 2023 and MES PC based on DELL XE3 contain a vulnerable versions of TIA Portal V15 to V18.
Affected products of TIA Portal contain a path traversal vulnerability that could allow the creation or overwrite of arbitrary files in the engineering system.
Impact
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| MES PC DELL XE3 | TIA-Portal V15<V17Update6, TIA-Portal V18<V18Update1 | |
| 8107242 | TP260 <June2023 | TIA-Portal V18<V18Update1, TIA-Portal V15<V17Update6 |
Vulnerabilities
Expand / Collapse allA vulnerability has been identified in Totally Integrated Automation Portal (TIA Portal) V15 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 6), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 1). Affected products contain a path traversal vulnerability that could allow the creation or overwrite of arbitrary files in the engineering system. If the user is tricked to open a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution.
Remediation
Update TIA-Portal. Please refer to Siemens SSA-116924 for more details.
Acknowledgments
Festo SE & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination and support with this publication (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 17.10.2023 08:00 | Initial revision. |
| 1.0.1 | 01.10.2025 08:00 | Adjusted to VDE template. Changed title from "Vulnerable Siemens TIA-Portal in several Festo Didactic Products" to "Festo: Vulnerable Siemens TIA-Portal in multiple Festo Didactic products". |