CVE-2019-13939 - Vulnerability Details

Description

A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

Published: 2020-01-16

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Siemens

APOGEE MEC/MBC/PXC (P2)

unknown

Version	Status	Constraints
`All versions < V2.8.2`	affected	—

Siemens

APOGEE PXC Compact (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Siemens

APOGEE PXC Compact (P2 Ethernet)

unknown

Version	Status	Constraints
`V2.8.2`	affected	< V2.8.19

Siemens

APOGEE PXC Modular (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Siemens

APOGEE PXC Modular (P2 Ethernet)

unknown

Version	Status	Constraints
`V2.8.2`	affected	< V2.8.19

Siemens

Capital Embedded AR Classic 431-422

unknown

Version	Status	Constraints
`0`	affected	< *

Siemens

Capital Embedded AR Classic R20-11

unknown

Version	Status	Constraints
`0`	affected	< V2303

Siemens

Desigo PXC00-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC00-U

unknown

Version	Status	Constraints
`All versions >= V2.3x and < V6.00.327`	affected	—

Siemens

Desigo PXC001-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC100-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC12-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC128-U

unknown

Version	Status	Constraints
`All versions >= V2.3x and < V6.00.327`	affected	—

Siemens

Desigo PXC200-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC22-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC22.1-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC36.1-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC50-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC64-U

unknown

Version	Status	Constraints
`All versions >= V2.3x and < V6.00.327`	affected	—

Siemens

Desigo PXM20-E

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Nucleus NET

unknown

Version	Status	Constraints
`0`	affected	< *

Siemens

Nucleus ReadyStart V3

unknown

Version	Status	Constraints
`0`	affected	< V2017.02.3

Siemens

Nucleus Source Code

unknown

Version	Status	Constraints
`0`	affected	< *

Siemens

SIMOTICS CONNECT 400

unknown

Version	Status	Constraints
`All versions < V0.3.0.330`	affected	—

Siemens

TALON TC Compact (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Siemens

TALON TC Modular (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Configuration 1 [-]

OR	cpe:2.3:a:siemens:capital_vstar::::::::
	cpe:2.3:a:siemens:nucleus_net::::::::
	cpe:2.3:a:siemens:nucleus_readystart::::::::
	cpe:2.3:a:siemens:nucleus_safetycert::::::::
	cpe:2.3:a:siemens:nucleus_source_code::::::::
	cpe:2.3:o:siemens:nucleus_rtos::::::::

Configuration 2 [-]

AND

cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_modular_equiment_controller:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:siemens:apogee_pxc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_pxc:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:siemens:desigo_pxc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:siemens:desigo_pxm20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxm20:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:siemens:simotics_connect_400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simotics_connect_400:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:siemens:talon_tc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:talon_tc:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:siemens:desigo_pxc00-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc00-e.d:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:siemens:desigo_pxc00-u_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc00-u:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:siemens:desigo_pxc001-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc001-e.d:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:siemens:desigo_pxc12-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc12-e.d:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:siemens:desigo_pxc22-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc22-e.d:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:siemens:desigo_pxc22.1-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc22.1-e.d:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:siemens:desigo_pxc36.1-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc36.1-e.d:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:siemens:desigopxc50-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc50-e.d:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:siemens:desigopxc64-u_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc64-u:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:siemens:desigopxc100-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc100-e.d:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:siemens:desigopxc128-u_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc128-u:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND

cpe:2.3:o:siemens:desigopxc200-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc200-e.d:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND

cpe:2.3:o:siemens:desigopxm20-e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxm20-e:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2019-5206	A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00345.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-162506.html
https://cert-portal.siemens.com/productcert/html/ssa-434032.html
https://cert-portal.siemens.com/productcert/pdf/ssa-162506.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06

History

Tue, 10 Jun 2025 15:30:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.	A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}`

Tue, 11 Mar 2025 10:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Siemens Apogee Modular Building Controller Apogee Modular Building Controller Firmware Apogee Modular Equiment Controller Apogee Modular Equiment Controller Firmware Apogee Pxc Apogee Pxc Firmware Capital Vstar Desigo Pxc Desigo Pxc00-e.d Desigo Pxc00-e.d Firmware Desigo Pxc00-u Desigo Pxc00-u Firmware Desigo Pxc001-e.d Desigo Pxc001-e.d Firmware Desigo Pxc12-e.d Desigo Pxc12-e.d Firmware Desigo Pxc22-e.d Desigo Pxc22-e.d Firmware Desigo Pxc22.1-e.d Desigo Pxc22.1-e.d Firmware Desigo Pxc36.1-e.d Desigo Pxc36.1-e.d Firmware Desigo Pxc Firmware Desigo Pxm20 Desigo Pxm20 Firmware Desigopxc100-e.d Desigopxc100-e.d Firmware Desigopxc128-u Desigopxc128-u Firmware Desigopxc200-e.d Desigopxc200-e.d Firmware Desigopxc50-e.d Desigopxc50-e.d Firmware Desigopxc64-u Desigopxc64-u Firmware Desigopxm20-e Desigopxm20-e Firmware Nucleus Net Nucleus Readystart Nucleus Rtos Nucleus Safetycert Nucleus Source Code Simotics Connect 400 Simotics Connect 400 Firmware Talon Tc Talon Tc Firmware

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2020-01-16T15:35:24.000Z

Updated: 2025-06-10T15:17:09.328Z

Reserved: 2019-07-18T00:00:00.000Z

Link: CVE-2019-13939

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-01-16T16:15:16.277

Modified: 2025-06-10T16:15:33.853

Link: CVE-2019-13939

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object