Siemens has confirmed a vulnerability in its APOGEE PXC and TALON TC building automation devices that allows an unauthenticated remote actor to retrieve sensitive files — including the device’s encrypted database — over BACnet, a widely used building automation protocol, a weakness now tracked as CVE‑2025‑40757 and assigned a CVSS v4 base score of 6.3.
APOGEE PXC and TALON TC devices are building automation controllers and thermostatic control units commonly deployed in commercial facilities and critical manufacturing environments. The devices support BACnet for building control interoperability and, in affected versions, permit network queries that can be used to retrieve the device’s encrypted database file (.db). Siemens and public advisories describe the root condition as an exposure of sensitive information to an unauthorized actor (CWE‑200): devices connected to a network may allow unrestricted access to files that should be protected.
Technical highlights reported by the vendor and republished by national authorities include:
Key technical points:
Siemens’ recommended measures include:
Important caveat: vendor‑supplied mitigations that strengthen authentication and restrict insecure services are useful but may only reduce attack likelihood. Because the core issue allows retrieval of a file via BACnet, network‑level restrictions are essential to preventing exploitation entirely.
(End of report.)
Source: CISA Siemens Apogee PXC and Talon TC Devices | CISA
APOGEE PXC and TALON TC devices are building automation controllers and thermostatic control units commonly deployed in commercial facilities and critical manufacturing environments. The devices support BACnet for building control interoperability and, in affected versions, permit network queries that can be used to retrieve the device’s encrypted database file (.db). Siemens and public advisories describe the root condition as an exposure of sensitive information to an unauthorized actor (CWE‑200): devices connected to a network may allow unrestricted access to files that should be protected.Technical highlights reported by the vendor and republished by national authorities include:
- Affected products: APOGEE PXC Series (BACnet and P2 Ethernet) and TALON TC Series (BACnet) — all reported versions.
- Vulnerability class: Exposure of sensitive information; ability to download the encrypted .db file via BACnet.
- Identifiers and scoring: CVE‑2025‑40757; CVSS v3.1 base score previously reported at 5.3; the CVSS v4 vector submitted yields 6.3 (AV:N/AC:L/AT
/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
Why this matters: operational risk and attack surface
This issue matters for three interlocking reasons:- Credentials leakage vector: The downloaded .db file may contain hashed or encrypted passwords and configuration data. While the file is encrypted, attackers with offline time and resources can attempt cracking, re‑use of weak credentials can enable follow‑on access, and leaked config data can reveal network topology or service endpoints useful for escalation.
- BACnet exposure is common: BACnet is frequently allowed across management and building networks for valid operational reasons. If BACnet traffic traverses poorly segmented or internet‑facing networks, the ability to retrieve files becomes an immediate external risk.
- IT–OT bridging increases collateral impact: Even though APOGEE and TALON devices are OT (operational technology), the attacker’s ability to harvest credentials or configuration can produce lateral movement into adjacent IT systems — Windows servers, operator workstations, or maintenance hosts — particularly in environments where network segmentation is weak. Siemens and CISA explicitly stress minimizing network exposure as a primary mitigation.
Technical analysis: what an attack looks like
An adversary with network access to BACnet-capable interfaces on an affected APOGEE or TALON device can query the protocol to request file contents. BACnet supports remote file access primitives in some implementations; the Siemens advisory indicates these devices do not sufficiently restrict or authenticate access to sensitive files exposed through those primitives.Key technical points:
- Attack vector: Network (BACnet); no local credentials required for the initial file retrieval operation described in the advisory, which is why the vector is classified as remotely accessible with low attack complexity.
- What is leaked: the device’s encrypted database file (.db) containing configuration and password material; while encrypted at rest, offline attacks could be attempted and exposures can disclose secrets useful for follow‑on attacks.
- Attack consequences: direct information disclosure enabling credential compromise, reconnaissance for lateral movement, and preparatory data for firmware or configuration manipulation if other vulnerabilities exist in the estate.
Siemens’ vendor guidance and immediate mitigations
Siemens has published specific mitigations operators should apply immediately; these are pragmatic, short-term controls but not necessarily permanent fixes.Siemens’ recommended measures include:
- Change all default passwords (ensure all three default passwords on the device are changed even if not in active use).
- Enforce strong passwords: up to 15 characters, with uppercase, lowercase, digits, and symbols.
- Disable Telnet (it is disabled by default; verify it's off).
Important caveat: vendor‑supplied mitigations that strengthen authentication and restrict insecure services are useful but may only reduce attack likelihood. Because the core issue allows retrieval of a file via BACnet, network‑level restrictions are essential to preventing exploitation entirely.
Recommended priority playbook (practical, ranked actions)
The following plan is written for operational teams (IT, OT, security operations, and facilities) responsible for building automation and adjacent Windows estate defense. These steps prioritize immediate risk reduction, detection, and longer‑term remediation.- Rapid inventory and triage (Day 0–1)
- Identify all APOGEE PXC and TALON TC devices on your network (IP addresses, MACs, firmware/software build versions).
- Identify where BACnet traffic flows and which VLANs/routers expose BACnet across network boundaries.
- Flag devices that are reachable from IT or vendor support networks as high priority.
- Immediate hardening (Day 0–3)
- Change all default passwords and rotate any operator credentials stored in the .db if possible. Enforce strong password policies.
- Verify telnet disabled; disable any unused services accessible via TCP/UDP.
- Block BACnet (UDP 47808/BAC0 or other configured ports) at the network perimeter and between business and control networks unless explicitly required.
- Implement ACLs on switches/routers to restrict who can reach device management ports.
- Network containment (Day 1–7)
- Place affected devices into a dedicated management VLAN accessible only from authorized jump hosts and maintenance systems.
- Deploy firewall rules that allow BACnet only from known, trusted management hosts; deny all other BACnet sources.
- If remote vendor support is required, set up a tightly controlled remote jump host and temporally restrict connectivity (e.g., time‑bound VPN sessions with MFA).
- Detection and monitoring (Day 0–14)
- Enable and review logs for BACnet file access operations; where logs are insufficient, deploy network capture (pcap) on critical segments to detect suspicious BACnet file reads.
- Monitor for unusual volumes of BACnet Who‑Is / Who‑Has traffic or repeated file retrievals from management ports.
- Add IDS/IPS signatures or network rules to flag suspicious BACnet GET/READ operations and alert SOC teams.
- Patch and vendor follow‑through (Day 3–30)
- Monitor Siemens ProductCERT (SSA‑916339) for vendor fixes or updated guidance and plan firmware or image upgrades per vendor instructions. CISA’s republished advisory explicitly points operators to Siemens ProductCERT for current remediation.
- If a vendor patch is available, test in a staging environment, validate operational behavior, then schedule staged production deployment with rollback plans.
- Credential and secrets hygiene (Day 0–30)
- Rotate any credentials stored on affected devices that could be used elsewhere.
- Where shared accounts are used across devices or systems, replace with unique, non‑reusable credentials and centrally manage with a credential vault accessible only to operators.
- Post‑remediation validation (Day 30+)
- Conduct a targeted penetration test or red‑team exercise to confirm network and device configurations prevent unauthorized BACnet file access.
- Document lessons learned and add device‑level checks to the regular asset management and vulnerability scanning cadence.
Detection indicators and log hunting for Windows and network teams
Because OT devices often lack rich host‑level telemetry, the detection focus should be on network artifacts and adjacent Windows hosts used for device management.- Network indicators
- Unusual BACnet ReadFile or ReadProperty requests returning large payloads.
- Repeated Who‑Is/Who‑Has queries across devices outside of known maintenance windows.
- Session initiation from unexpected IP addresses to device management ports (especially from outside the management VLAN).
- Host indicators (Windows jump hosts / operator workstations)
- Unexpected downloads of configuration files or .db artifacts from remote devices via BACnet bridging tools.
- Suspicious processes that spawn BACnet client utilities or that open raw socket connections to OT device ports.
- New or changed scheduled tasks that perform network queries against building automation IPs.
- Capture full pcap of the relevant network segment.
- Export the device .db (if available) for offline analysis and rotate any credentials found there.
- Snapshot operator/management Windows hosts for memory and disk analysis; look for indicators of credential theft or persistence.
- Report to internal incident response teams and coordinate with Siemens ProductCERT as part of responsible disclosure / incident coordination.
Critical evaluation: strengths, weaknesses, and unanswered questions
Strengths in Siemens’ and CISA’s approach:- Siemens provided immediate, concrete mitigations (password change, disable telnet) that are actionable with low operational impact.
- CISA’s republication improves visibility for US infrastructure owners and emphasizes the need to follow the vendor’s ProductCERT for updates.
- The advisory describes retrieval of an encrypted .db file. Encryption is better than plaintext storage but is a mitigating control — offline brute force, default or weak keys, or reuse of credentials across systems can still yield compromise. The advisory does not publish the encryption algorithm or key management model publicly; that detail is critical to assessing the offline cracking risk and should be requested from the vendor.
- Short‑term mitigations like changing default passwords and disabling telnet are necessary but insufficient if BACnet access remains reachable from broader network segments or the internet. Network controls are the primary barrier to exploitation.
- The advisory indicates all versions of the listed products are affected; without a vendor patch timeline published in the republished advisory, operators are left to rely on compensating controls until an upstream fix is made available. CISA’s republication instructs operators to consult Siemens ProductCERT for the canonical, updated remediation status.
- The precise cryptographic strength and key management used for the .db file remain vendor technical details; the extent to which offline cracking is realistic cannot be verified from the republished advisory text alone. This is an important gap — treat the .db as sensitive even if encrypted.
- Whether proof‑of‑concept exploit code exists in the wild is not confirmed; at publication, CISA reported no known public exploitation of this vulnerability. That status can change quickly — continue to monitor Siemens ProductCERT and threat intel feeds.
Hardening checklist for Windows teams supporting OT environments
Windows administrators who manage the bridge between IT and OT should prioritize the following:- Enforce strict network segmentation: ensure Windows management hosts that need to access APOGEE/TALON devices are on a dedicated management VLAN with jump host restrictions.
- Harden jump hosts: restrict local admin use, enable EDR, enable disk and memory logging, and require MFA for remote access.
- Remove unnecessary BACnet client tools from Windows hosts unless they are essential for operations; keep any such tools patched and tightly controlled.
- Centralize credential management: use vault solutions instead of storing plaintext or reusing passwords across devices and Windows services.
- Audit and restrict software installation rights to reduce the chance of lateral compromise from Windows workstations into OT systems.
- Maintain asset inventory and configuration baselines for OT devices in the same way you manage Windows servers and endpoints.
Regulatory, supply‑chain and governance notes
- Because these devices are deployed in critical manufacturing and other infrastructure sectors worldwide, organizations should coordinate vulnerability management with safety engineering and operations teams to ensure patches and mitigations do not disrupt safety‑critical functions.
- If you rely on third‑party integrators or vendors for device management, require timely security updates in contracts and insist on notification and remediation timelines for disclosed vulnerabilities. CISA and Siemens guidance underscores the importance of tracking ProductCERT advisories as the canonical source for Siemens product remediation.
Final takeaway: immediate posture and next steps
Treat this advisory as a high‑priority OT hygiene and network‑segregation issue:- Immediately change defaults and harden credentials, but do not stop there — apply strict BACnet network controls and isolate affected devices until vendor patches are applied.
- Increase detection for BACnet file‑access activity and coordinate with OT and Windows teams to ensure jump hosts, remote access, and vendor support channels are tightly controlled and monitored.
- Monitor Siemens ProductCERT (SSA‑916339) for definitive fixes and patch guidance; CISA’s republication reinforces that Siemens ProductCERT is the authoritative source for ongoing updates.
(End of report.)
Source: CISA Siemens Apogee PXC and Talon TC Devices | CISA