All CISA Advisories, EN

Siemens COMOS

2025-08-14 19:08

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 8.2
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: COMOS
Vulnerability: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

Siemens COMOS: all versions prior to V10.6

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

Out-of-bounds Write vulnerability was discovered in Open Design Alliance Drawings SDK before 2025.10. Reading crafted DWF file and missing proper checks on received SectionIterator data can trigger an unhandled exception. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

CVE-2024-8894 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRI

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article:

Siemens COMOS

Tags: All CISA Advisories EN

Post navigation

← What Is Zero Trust, Really?

Siemens RUGGEDCOM ROX II →

Search for:
Pages

Advertising

Contact

Legal and Contact information

Opt-out preferences

Privacy Policy

Social Media

Apps

Telegram Channel

Recent Posts

IT Security News Hourly Summary 2025-08-15 00h : 9 posts August 15, 2025

Ransomware crews don’t care about your endpoint security – they’ve already killed it August 15, 2025

Post-Incident CRM Forensics: Why Deploying AppOmni Is a Best Practice August 15, 2025

IT Security News Daily Summary 2025-08-14 August 15, 2025

New EncryptHub Campaign Leverages Brave Support Platform to Deliver Malicious Payloads via MMC Vulnerability August 15, 2025

My favorite power station now has a massive discount on Amazon August 15, 2025

Own a PS5? Changing these 3 settings gave my console an instant performance boost August 15, 2025

These smart glasses can read menus and ‘see for you’, thanks to AI August 15, 2025

ESR issues recall for power bank due to fire risk – here’s what you need to know and do ASAP August 15, 2025

How the Premier League uses AI to boost fan experiences and score new business goals August 15, 2025

BSidesSF 2025: Don’t Trust, Verify! – How I Found A CSRF Bug Hiding In Plain Sight August 15, 2025

62% of People Believe AI Agents Are Easier To Deceive Than Humans August 14, 2025

Threat Actors Weaponizing YouTube Video Download Site to Download Proxyware Malware August 14, 2025

New Malvertising Attack Spreads Crypto Stealing PS1Bot Malware August 14, 2025

Ransomware Actors Combine Legitimate Tools with Custom Malware to Evade Detection August 14, 2025

Spring 2025 PCI 3DS compliance package available now August 14, 2025

IT Security News Hourly Summary 2025-08-14 21h : 6 posts August 14, 2025

New Trends in Phishing Attacks Emerges as AI Reshaping the Tool Used by Cybercriminals August 14, 2025

Threat Actors Leverage CrossC2 to Extend Cobalt Strike to Linux and macOS August 14, 2025

Google Announces That Android’s pKVM Framework Achieves SESIP Level 5 Certification August 14, 2025

Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com.

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}