Siemens has released updates addressing vulnerabilities in its JT Open and PLM XML SDK software. These vulnerabilities, including a NULL pointer dereference and a stack-based buffer overflow, could allow attackers to crash the applications or execute arbitrary code. The vulnerabilities impact all versions of the software, and Siemens advises users to update to JT Open version 11.5 and PLM XML SDK version 7.1.0.014 or later.
The affected vulnerabilities include CWE-476 (NULL pointer dereference) and CWE-121 (stack-based buffer overflow). The first vulnerability could result in application crashes due to malformed XML files, while the second could allow code execution in the context of the current process. Both vulnerabilities have been assigned CVEs, with CVE-2024-37996 and CVE-2024-37997 having CVSS v4 scores of 4.8 and 7.3, respectively.
Siemens has provided recommendations for users to avoid these vulnerabilities. Besides updating to the latest versions, users are urged not to open untrusted XML files in affected applications. Siemens also recommends general security measures, such as protecting network access to devices and following the company’s industrial security guidelines.
CISA supports Siemens’ mitigations by advising organizations to minimize network exposure for control system devices, place them behind firewalls, and use VPNs for remote access. While no public exploitation of these vulnerabilities has been reported, Siemens and CISA encourage implementing defense-in-depth strategies to safeguard critical infrastructure.