Siemens COMOS 2025: Critical Software Vulnerabilities in Industrial Control Systems
Executive Summary
In November 2025, Siemens disclosed critical software vulnerabilities affecting its COMOS platform, widely used in the industrial and critical manufacturing sectors. The flaws—specifically, an incomplete list of disallowed inputs and cleartext transmission of sensitive information—enabled remote attackers with low attack complexity to execute arbitrary code or intercept data. The affected versions were COMOS releases prior to 10.4.5, with potential for unauthorized access, data infiltration, or broader operational disruptions across global deployments. Siemens ProductCERT identified and reported the vulnerabilities, issuing patches and urging immediate upgrades and network protections.
This incident is highly relevant given the increasing threats to industrial control systems and the persistent exploitation of software supply chain vulnerabilities. The convergence of IT and OT environments means that unresolved vulnerabilities like these present heightened risks in critical infrastructure, drawing attention from regulators and advanced cyber attackers alike.
Why This Matters Now
With critical manufacturing systems underpinning global infrastructure, vulnerabilities in widely-deployed software like Siemens COMOS can facilitate system compromise at scale. As attackers increasingly target industrial platforms for both ransomware and data theft, immediate remediation and robust segmentation are essential to prevent cascading impacts or regulatory penalties.
Attack Path Analysis
An attacker remotely exploited Siemens COMOS vulnerabilities, initially leveraging cleartext transmission and insufficient input validation to gain a foothold. With code execution, the attacker escalated privileges within the application or host. The adversary then moved laterally within the networked environment, seeking additional systems or sensitive data by abusing unsegmented east-west traffic. Establishing command and control channels, likely via allowed outbound connections or covert channels, the attacker prepared or maintained persistent access. Subsequently, sensitive information was exfiltrated, potentially leveraging unencrypted or insufficiently controlled traffic flows. Ultimately, the attacker could execute malicious code or disrupt operations, creating significant impact for the target environment.
Kill Chain Progression
Initial Compromise
Description
The attacker remotely exploited the COMOS web interface, leveraging cleartext data transmission (CVE-2024-0056) or the incomplete validation flaw (CVE-2023-45133) to gain unauthorized access.
Related CVEs
CVE-2023-45133
CVSS 9.3An incomplete list of disallowed inputs in Siemens COMOS Web prior to version 10.4.5 allows an attacker to execute arbitrary code during compilation.
Affected Products:
Siemens COMOS Web – < 10.4.5
Exploit Status:
no public exploitCVE-2024-0056
CVSS 8.7Cleartext transmission of sensitive information in Siemens COMOS Snapshots component prior to version 10.4.5 could lead to data infiltration.
Affected Products:
Siemens COMOS Snapshots – < 10.4.5
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Application Layer Protocol
Exfiltration Over C2 Channel
Obfuscated Files or Information
Unsecured Credentials
Data Encoding
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong cryptography and security protocols
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Secure Data Transmission
Control ID: Data Pillar - Data-in-Transit Protection
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
ISO/IEC 27001:2022 – Secure development lifecycle
Control ID: A.8.25
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Critical Manufacturing
Siemens COMOS vulnerabilities enable arbitrary code execution and data infiltration in industrial control systems, requiring immediate updates to prevent operational disruption.
Oil/Energy/Solar/Greentech
Energy sector's reliance on Siemens industrial automation creates high exposure to remote exploitation and cleartext transmission vulnerabilities in COMOS systems.
Chemicals
Chemical manufacturing facilities using COMOS face critical risks from code injection attacks and unencrypted data transmission threatening process control security.
Utilities
Power and water utilities deploying COMOS systems are vulnerable to network-based attacks exploiting Babel compiler flaws and SQL client vulnerabilities.
Sources
- Siemens COMOShttps://www.cisa.gov/news-events/ics-advisories/icsa-25-317-15Verified
- NVD Entry for CVE-2023-45133https://nvd.nist.gov/vuln/detail/CVE-2023-45133Verified
- NVD Entry for CVE-2024-0056https://nvd.nist.gov/vuln/detail/CVE-2024-0056Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, encrypted traffic enforcement, egress policy controls, and anomaly detection would have minimized the attack surface, limited attacker movement, and enabled rapid detection of malicious actions. Implementing CNSF-aligned controls constrains unauthorized access, ensures sensitive data is not transmitted in cleartext, and intercepts lateral and outbound malicious activity, significantly containing the threat's scope.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents exploitation of sensitive data in transit and interception.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of unauthorized code execution on critical systems.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload communication.
Control: Cloud Firewall (ACF)
Mitigation: Prevents rogue outbound C2 traffic from leaving the controlled network.
Control: Egress Security & Policy Enforcement
Mitigation: Stops unauthorized data exfiltration.
Reduces operational impact and speeds response.
Impact at a Glance
Affected Business Functions
- Engineering Design
- Project Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive engineering project data and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce encrypted traffic for all critical application and database flows to prevent data interception and initial compromise.
- • Implement Zero Trust network segmentation and east-west traffic controls to restrict lateral movement and limit attacker reach.
- • Deploy policy-driven egress filtering to prevent unapproved data exfiltration and block command and control channels.
- • Integrate continuous threat detection and anomaly response for privileged actions and code execution to facilitate early attack containment.
- • Adopt a cloud-native security fabric (CNSF) approach to enable autonomous, inline controls and real-time policy enforcement across all environments.
