CISA warns Siemens products affected by third-party privilege escalation bug

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an industrial control systems (ICS) advisory warning that Siemens Desigo CC and SENTRON Powermanager products are affected by a third-party privilege escalation flaw.

The Siemens Desigo CC product family comprises integrated building management platforms while SENTRON Powermanager provides a dashboard for energy consumption analysis.

All versions of Desigo CC V5.0, V5.1, V6, V7 and V8 as well as all versions of SENTRON Powermanager V5, V6, V7 and V8 were found to be affected by a flaw in the third-party software licensing and protection solution Wibu CodeMeter, tracked as CVE-2025-47809.

CVE-2025-47809 has a high CVSS score of 8.2 and could enable an unprivileged user to gain administrator privileges immediately after installation of CodeMeter Runtime and first launch of CodeMeter Control Center.

This exploitation can only occur if there was an unprivileged installation of CodeMeter with Use Account Control (UAC), the CodeMeter Control Center component was installed and CodeMeter Control Center has not been restarted after initial installation.

In this scenario, after a built-in administrator account has approved the installation of CodeMeter, the unprivileged user can use the “Import License” function in CodeMeter Control Center to navigate to any file in Windows Explorer and open it with admin privileges.

This could include cmd.exe, which would enable the unprivileged local user to gain administrative access to the command console and execute commands as an admin-level user, according to Wibu.

The issue can be mitigated by ensuring CodeMeter Control Center is restarted immediately after installation, however, it is recommended that new installations of CodeMeter be made using version 8.30a or later.

Siemens also generally recommends that users protect network access to their devices, including by following the recommendations in Siemens’ operational guidelines for industrial security when configuring their environments.  

CISO recommends ICS managers minimize exposure of control systems to the internet, isolate control system networks from business networks and use secure methods, such as up-to-date virtual private networks (VPNs), when remote access is needed.