Siemens Firmware Integrity Flaw CVE‑2022‑31807: Risks to Access Controllers

Siemens has confirmed a firmware-integrity weakness that affects several access-controller families and could let an attacker install modified firmware on door controllers — a scenario that turns a physical-access appliance into a persistent foothold. The vulnerability, tracked as CVE‑2022‑31807 and classified under CWE‑347 (Improper Verification of Cryptographic Signature), was republished by CISA and detailed by Siemens ProductCERT; affected devices include SiPass/ACC controllers and a Building X — Security Manager Edge Controller variant (ACC‑AP). The core issue is simple but severe: some units do not reliably verify firmware integrity before installation, enabling local uploads of tampered firmware or on‑the‑fly modification by an on‑path attacker.

Background / Overview​

The affected hardware — door and access controllers frequently deployed in corporate facilities, manufacturing plants and other critical environments — perform a gatekeeping role for physical entry and building automation. Compromise of such controllers can yield long-lived control over doors, alarms, and logs, and create a stealthy platform for lateral movement into adjacent IT/OT segments. Siemens’ advisories name the SiPass integrated AC5102 (ACC‑G2) and ACC‑AP families and also reference a Building X “Security Manager Edge Controller (ACC‑AP)” variant, indicating the problem spans multiple product lines. Industrial and physical‑security devices are high‑value targets: a firmware compromise is not a transient exploit but a persistent supply‑chain level control point. That makes verification of update packages and secure delivery mechanisms (signed firmware, secure transport, and strict access controls) central to any mitigation strategy.

---

Technical summary​

What the bug is and how it works​

• Affected devices do not properly verify the integrity of firmware updates before applying them. That can happen because the firmware update mechanism accepts packages without a robust cryptographic check or ignores signature verification failures.
• Two exploit scenarios are realistic:
• Local attacker: an adversary with local or administrative access to the controller can upload a maliciously modified firmware image and have it installed.
• On‑path (MITM) attacker: a remote attacker who can intercept firmware transfers between Siemens’ update server (or a management host) and the device can alter the firmware in transit and deliver a manipulated image.

Classification and assigned identifier​

• CWE: CWE‑347 — Improper Verification of Cryptographic Signature.
• CVE: CVE‑2022‑31807. This is the canonical tracking identifier used in Siemens, CISA, and public vulnerability databases.

Scoring (CVSS): inconsistent public figures — why that matters​

• Siemens’ SiPass advisory (SSA‑367714) and CISA’s SiPass republished advisory list a CVSS v3.1 base score of 6.2 (Medium) and a CVSS v4 base score of 8.2 (High).
• A separate Siemens ProductCERT advisory for a Building X controller lists CVSS v3.1 = 6.2 and CVSS v4 = 5.9, reflecting a different assessment for that product descriptor.
• Public aggregators (NVD, Tenable and others) generally reflect Siemens’ SiPass/ACC entries and show the higher CVSS v4 figures (8.2), while some vendor or republished summaries display the lower 5.9 number for the Building X entry. This divergence appears to stem from multiple vendor advisories covering different product families or product names and from differences in assessor choices when mapping attack vector/context under the CVSS v4 model. Operators must treat score variations as an indicator to read the full advisory and threat model, not rely solely on a single numeric score.

---

Risk evaluation: what successful exploitation can do​

A compromised firmware image can enable a range of attacks that are disproportionately damaging for ICS/physical‑security environments:

• Persistent backdoors: firmware‑level implants survive reboots and can evade higher‑level integrity checks or logging.
• Credential harvesting and replay: local credentials used by the controller or keys used for upstream authentication can be exfiltrated.
• Door unlock / access manipulation: an attacker can alter door policies, disable alarms, or create time‑based backdoors.
• Trust‑pivot to management servers: the controller often communicates with central servers; a compromised device can be a stepping stone for compromising broader access control infrastructure.
• Supply‑chain impact: if update servers or distribution channels lack end‑to‑end signing and validation, multiple devices across a fleet can be infected.

The advisories underline the practical difficulty: while a purely remote, unauthenticated exploit is not the default scenario, on‑path attackers or local attackers with network access face a low attack complexity and can realize high integrity impact. That combination — low complexity, high impact — is what elevates the operational urgency.

---

What Siemens and CISA say (official mitigations)​

Siemens ProductCERT and CISA republished advisories list consistent mitigation themes:

• Use authenticated update mechanisms: Siemens recommends using the vendor's ACC Firmware App and official SIOS portal to obtain verified firmware packages and to validate firmware hash values before applying updates. Where a product supports TLS for server↔device communication, enabling TLS reduces the risk of on‑path tampering.
• Limit access: restrict controller management to authorized personnel and protect credentials; apply role‑based access and strong password hygiene.
• Network hardening: isolate control networks behind firewalls, segment OT from corporate IT, and avoid exposing controllers directly to the Internet.
• When remote access is required: use vetted remote‑access solutions (VPNs, bastion hosts) while recognizing that those tools themselves must be kept current and monitored.
• Siemens status on fixes: for certain affected devices Siemens has stated no fix is planned; for others the vendor has indicated it is preparing fix versions or recommending compensating controls. This creates heterogeneity in remediation options across product lines. Operators must consult the specific Siemens ProductCERT advisory that maps to their model.

---

Immediate action checklist (operational steps for Windows/OT teams)​

• Inventory and identify affected units.
• Locate all controllers (ACC‑AP, ACC‑G2 / AC5102, Building X variants) and record firmware versions and management ports.
• Reduce exposure now.
• Remove any Internet accessibility and place the controllers behind a properly configured firewall or jump host.
• Enforce authenticated firmware delivery.
• If the ACC Firmware App and SIOS portal are available, use them to pull updates and verify artifact hashes before applying any image. If hashes are not provided or cannot be validated, treat updates as untrusted.
• Enable TLS where supported.
• On SiPass ACC devices TLS support begins at specified firmware versions; enable TLS for server↔device traffic to prevent on‑path modification.
• Rotate credentials and cloud/service keys.
• If devices were provisioned with default, weak, or shared credentials, replace them and apply least privilege.
• Strengthen monitoring.
• Deploy network IDS/IPS rules to spot unexpected firmware uploads or HTTP/TFTP firmware transfer patterns; monitor logs for unusual reboots, package installs, or unexplained configuration changes.
• Prepare incident response playbooks.
• Define a recovery plan: isolate affected device(s), obtain forensic images, re‑flash from verified factory images if available, and coordinate with Siemens ProductCERT.

These are immediate, pragmatic steps that reduce the chance of both local abuse and on‑the‑wire tampering.

---

Medium‑ and long‑term remediation and resilience​

• Replace or decommission devices that Siemens has declared “no fix planned” for, or plan an accelerated migration if they sit in high‑risk physical or critical infrastructure zones.
• Demand and verify cryptographic firmware signing from vendors. Systems must check signatures with a trusted public key anchored in device hardware (secure boot / secure loader).
• Implement secure‑by‑design update mechanisms: ensure vendor update channels support signed packages, TLS+mutual authentication, and reproducible hash verification.
• Invest in OT patch management and asset‑inventory tooling that treats firmware like software: verify signatures and enforce update policies.
• Build continuous monitoring for device‑level behavioral anomalies (unexpected outbound connections, unusual CPU patterns after updates, changes in access logs).
• Engage Siemens ProductCERT for product‑specific guidance and to schedule coordinated upgrades or replacements if fixes are made available.

---

Detection and incident response guidance​

Detection of firmware compromise is nontrivial. Recommended detection steps:

• Maintain a golden image and build a firmware‑hash baseline for each controller model and firmware version. Compare running firmware hashes against the baseline periodically.
• Monitor for unsigned or unexpected update transactions: unexpected POST/PUT to firmware endpoints, transfers via plain TFTP/HTTP, or anomalous TLS certificates in use.
• Capture network traffic around management windows for offline analysis. Look specifically for modified binary artifacts or suspicious mid‑stream changes.
• If infection is suspected:
• Isolate the device immediately from the network.
• Preserve forensic evidence (full disk/flash readouts, system logs, and packet captures).
• Reinstall from a verified, vendor-supplied signed image or perform a hardware-level restore if possible.
• Replace keys and credentials that may have been exposed.
• Coordinate with Siemens ProductCERT and, where applicable, regulatory or sector CERT teams.

---

Why the CVSS disagreement matters (and how to interpret it)​

Public records show different CVSS v4 figures for closely related advisories: some Siemens advisories and downstream summaries list a CVSS v4 of 8.2, others for a slightly different product string list 5.9. The reasons include:

• Different product contexts: the same underlying flaw can score differently if a product is server‑facing vs local‑only, or if mitigations (TLS, signed updates) are present/absent.
• Assessor choices: CVSS v4 introduced more nuanced attributes (Integrity/Availability/Safety impact, attack requirements); assessors can choose different values for attack vector, attack requirements, or impact dimensions.
• Publication timing and updates: advisory versions and re‑scorings happen as more technical detail or exploitability data become available.

Operators should therefore read the advisories fully and map them to their actual deployment context rather than relying on a single numeric severity. Treat score discrepancies as a trigger to check device role, connectivity, and available mitigations.

---

Critical analysis: strengths, weaknesses, and enterprise risk​

Strengths (what Siemens/CISA did well)​

• Siemens published product‑level advisories with clear CWE classification, affected models, and actionable mitigations (enable TLS, use authenticated firmware distribution tools). The vendor also acknowledged the external reporter (Airbus Security) — a sign of responsible disclosure.
• CISA republished the vendor advisories to raise awareness across critical infrastructure operators and reiterated standard ICS hardening guidance (segmentation, minimizing network exposure). That amplifies the message to affected organizations.

Weaknesses and risks​

• No fix planned for some devices: Siemens’ statement that fixes are not planned for certain models forces operators into compensating controls or device replacement — a costly and operationally disruptive choice.
• Inconsistent scoring and multiple advisories: score divergence across advisories can confuse prioritization in patching pipelines and risk registers.
• Firmware-update trust model gaps: the root cause is a failure of end‑to‑end trust in firmware delivery. Without mandatory code signing and secure boot, many embedded devices remain brittle to firmware‑level compromise.
• Operational complexity: many organizations lack processes for verifying firmware hashes, maintaining isolated update channels, or performing hardware‑level forensic recovery after a firmware compromise. That gap increases exploitation risk despite vendor guidance.

---

Practical recommendations for Siemens customers (prioritized)​

• Immediate: Isolate affected controllers from Internet exposure and restrict management to hardened jump hosts or air‑gapped maintenance stations.
• Immediate: Validate any new firmware images via the ACC Firmware App and hash verification before applying updates; insist on getting signed packages from the vendor portal.
• Short term: Implement TLS between server and device where supported, and rotate credentials used for device administration.
• Medium term: Replace end‑of‑life units or devices with no planned fixes; plan budget and migration windows now.
• Long term: Require vendors to provide firmware signing + secure boot and include that requirement in procurement and supplier‑security SLAs.

---

Closing assessment​

CVE‑2022‑31807 is a textbook example of how integrity failures in firmware update paths elevate risk from manageable to existential for access‑control systems. Siemens and CISA have published concrete mitigation guidance and highlighted the immediate need to protect firmware distribution and device access. However, the lack of universal fixes for all affected devices and inconsistent scoring among advisories means that organizations must act conservatively: inventory impacted devices, apply compensating controls now, and plan device replacement where a vendor patch is unavailable.
Treat firmware as first‑class attack surface: enforce signed updates, secure transport, strict access controls, and continuous monitoring. That approach will reduce the chance that a seemingly routine update becomes the vector for a long‑term compromise of physical security and operational continuity.

---

Source: CISA Siemens Building X - Security Manager Edge Controller | CISA