cbcvebase.
CVE-2024-22039
published 2024-03-12

CVE-2024-22039: A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions < IP8), Cerberus PRO EN Fire Panel FC72x IP6 (All versions < IP6 SR3)…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.4th percentile
A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions < IP8), Cerberus PRO EN Fire Panel FC72x IP6 (All versions < IP6 SR3), Cerberus PRO EN Fire Panel FC72x IP7 (All versions < IP7 SR5), Cerberus PRO EN X200 Cloud Distribution IP7 (All versions < V3.0.6602), Cerberus PRO EN X200 Cloud Distribution IP8 (All versions < V4.0.5016), Cerberus PRO EN X300 Cloud Distribution IP7 (All versions < V3.2.6601), Cerberus PRO EN X300 Cloud Distribution IP8 (All versions < V4.2.5015), Cerberus PRO UL Compact Panel FC922/924 (All versions < MP4), Cerberus PRO UL Engineering Tool (All versions < MP4), Cerberus PRO UL X300 Cloud Distribution (All versions < V4.3.0001), Desigo Fire Safety UL Compact Panel FC2025/2050 (All versions < MP4), Desigo Fire Safety UL Engineering Tool (All versions < MP4), Desigo Fire Safety UL X300 Cloud Distribution (All versions < V4.3.0001), Sinteso FS20 EN Engineering Tool (All versions < MP8), Sinteso FS20 EN Fire Panel FC20 MP6 (All versions < MP6 SR3), Sinteso FS20 EN Fire Panel FC20 MP7 (All versions < MP7 SR5), Sinteso FS20 EN X200 Cloud Distribution MP7 (All versions < V3.0.6602), Sinteso FS20 EN X200 Cloud Distribution MP8 (All versions < V4.0.5016), Sinteso FS20 EN X300 Cloud Distribution MP7 (All versions < V3.2.6601), Sinteso FS20 EN X300 Cloud Distribution MP8 (All versions < V4.2.5015), Sinteso Mobile (All versions < V3.0.0). The network communication library in affected systems does not validate the length of certain X.509 certificate attributes which might result in a stack-based buffer overflow. This could allow an unauthenticated remote attacker to execute code on the underlying operating system with root privileges.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
siemenscerberus_pro_en_engineering_tool< IP8IP8
siemenscerberus_pro_en_engineering_tool< ip8ip8
siemenscerberus_pro_en_fire_panel_fc72x< ip8ip8
siemenscerberus_pro_en_fire_panel_fc72x_ip6< IP6 SR3IP6 SR3
siemenscerberus_pro_en_fire_panel_fc72x_ip7< IP7 SR5IP7 SR5
siemenscerberus_pro_en_x200_cloud_distribution< 4.0.50164.0.5016
siemenscerberus_pro_en_x200_cloud_distribution_ip7< V3.0.6602V3.0.6602
siemenscerberus_pro_en_x200_cloud_distribution_ip8< V4.0.5016V4.0.5016
siemenscerberus_pro_en_x300_cloud_distribution< 4.2.50154.2.5015
siemenscerberus_pro_en_x300_cloud_distribution_ip7< V3.2.6601V3.2.6601
siemenscerberus_pro_en_x300_cloud_distribution_ip8< V4.2.5015V4.2.5015
siemenscerberus_pro_ul_compact_panel_fc922_924< MP4MP4
siemenscerberus_pro_ul_engineering_tool< MP4MP4
siemenscerberus_pro_ul_x300_cloud_distribution< V4.3.0001V4.3.0001
siemensdesigo_fire_safety_ul_compact_panel_fc2025_2050< MP4MP4
siemensdesigo_fire_safety_ul_engineering_tool< MP4MP4
siemensdesigo_fire_safety_ul_x300_cloud_distribution< V4.3.0001V4.3.0001
siemenssinteso_fs20_en_engineering_tool< MP8MP8
siemenssinteso_fs20_en_engineering_tool< mp8mp8
siemenssinteso_fs20_en_fire_panel_fc20< mp8mp8
siemenssinteso_fs20_en_fire_panel_fc20_mp6< MP6 SR3MP6 SR3
siemenssinteso_fs20_en_fire_panel_fc20_mp7< MP7 SR5MP7 SR5
siemenssinteso_fs20_en_x200_cloud_distribution< 4.0.50164.0.5016
siemenssinteso_fs20_en_x200_cloud_distribution_mp7< V3.0.6602V3.0.6602
siemenssinteso_fs20_en_x200_cloud_distribution_mp8< V4.0.5016V4.0.5016

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is a stack-based buffer overflow triggered by malformed X.509 certificate attributes sent over the network communication library. Detect anomalously large or malformed X.509 certificate attribute fields in TLS/network handshakes targeting affected Siemens fire panel systems.
  • For Engineering Tool variants, exploitation requires an on-path (MitM) attacker intercepting communications within the fire system network. Monitor for unexpected certificate issuers or anomalous TLS sessions on the fire system network segment.
  • Successful exploitation of CVE-2024-22039 results in unauthenticated remote code execution with root privileges on the underlying OS. Alert on unexpected outbound connections or process spawning from fire panel network services.
  • The attack vector is network-based with no authentication or user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Prioritize monitoring of network-accessible fire panel services for exploitation attempts.
  • ·For Sinteso Mobile, CVE-2024-22039 exploitation is limited to the app context (not the underlying OS), and requires an on-path attacker intercepting app communications in the fire system network.
  • ·No known public exploitation of CVE-2024-22039 has been reported at the time of advisory publication.
  • ·For Engineering Tool products (Cerberus PRO EN and Sinteso FS20 EN), no fix was available at time of initial advisory for companion CVEs (CVE-2024-22040, CVE-2024-22041), though CVE-2024-22039 is addressed by updating to IP8/MP8 or later.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.