CVE-2019-13939 - Vulnerability Details

A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00345.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Siemens

APOGEE MEC/MBC/PXC (P2)

unknown

Version	Status	Constraints
`All versions < V2.8.2`	affected	—

Siemens

APOGEE PXC Compact (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Siemens

APOGEE PXC Compact (P2 Ethernet)

unknown

Version	Status	Constraints
`V2.8.2`	affected	< V2.8.19

Siemens

APOGEE PXC Modular (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Siemens

APOGEE PXC Modular (P2 Ethernet)

unknown

Version	Status	Constraints
`V2.8.2`	affected	< V2.8.19

Siemens

Capital Embedded AR Classic 431-422

unknown

Version	Status	Constraints
`0`	affected	< *

Siemens

Capital Embedded AR Classic R20-11

unknown

Version	Status	Constraints
`0`	affected	< V2303

Siemens

Desigo PXC00-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC00-U

unknown

Version	Status	Constraints
`All versions >= V2.3x and < V6.00.327`	affected	—

Siemens

Desigo PXC001-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC100-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC12-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC128-U

unknown

Version	Status	Constraints
`All versions >= V2.3x and < V6.00.327`	affected	—

Siemens

Desigo PXC200-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC22-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC22.1-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC36.1-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC50-E.D

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Desigo PXC64-U

unknown

Version	Status	Constraints
`All versions >= V2.3x and < V6.00.327`	affected	—

Siemens

Desigo PXM20-E

unknown

Version	Status	Constraints
`V2.3`	affected	< V6.0.327

Siemens

Nucleus NET

unknown

Version	Status	Constraints
`0`	affected	< *

Siemens

Nucleus ReadyStart V3

unknown

Version	Status	Constraints
`0`	affected	< V2017.02.3

Siemens

Nucleus Source Code

unknown

Version	Status	Constraints
`0`	affected	< *

Siemens

SIMOTICS CONNECT 400

unknown

Version	Status	Constraints
`All versions < V0.3.0.330`	affected	—

Siemens

TALON TC Compact (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Siemens

TALON TC Modular (BACnet)

unknown

Version	Status	Constraints
`0`	affected	< V3.5.3

Configuration 1 [-]

OR	cpe:2.3:a:siemens:capital_vstar::::::::
	cpe:2.3:a:siemens:nucleus_net::::::::
	cpe:2.3:a:siemens:nucleus_readystart::::::::
	cpe:2.3:a:siemens:nucleus_safetycert::::::::
	cpe:2.3:a:siemens:nucleus_source_code::::::::
	cpe:2.3:o:siemens:nucleus_rtos::::::::

Configuration 2 [-]

AND

cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_modular_equiment_controller:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:siemens:apogee_pxc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_pxc:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:siemens:desigo_pxc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:siemens:desigo_pxm20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxm20:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:siemens:simotics_connect_400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simotics_connect_400:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:siemens:talon_tc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:talon_tc:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:siemens:desigo_pxc00-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc00-e.d:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:siemens:desigo_pxc00-u_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc00-u:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:siemens:desigo_pxc001-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc001-e.d:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:siemens:desigo_pxc12-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc12-e.d:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:siemens:desigo_pxc22-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc22-e.d:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:siemens:desigo_pxc22.1-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc22.1-e.d:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:siemens:desigo_pxc36.1-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc36.1-e.d:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:siemens:desigopxc50-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc50-e.d:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:siemens:desigopxc64-u_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc64-u:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:siemens:desigopxc100-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc100-e.d:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:siemens:desigopxc128-u_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc128-u:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND

cpe:2.3:o:siemens:desigopxc200-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc200-e.d:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND

cpe:2.3:o:siemens:desigopxm20-e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxm20-e:-:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Siemens Subscribe	Apogee Modular Building Controller Subscribe Apogee Modular Building Controller Firmware Subscribe Apogee Modular Equiment Controller Subscribe Apogee Modular Equiment Controller Firmware Subscribe Apogee Pxc Subscribe Apogee Pxc Firmware Subscribe Capital Vstar Subscribe Desigo Pxc Subscribe Desigo Pxc00-e.d Subscribe Desigo Pxc00-e.d Firmware Subscribe Desigo Pxc00-u Subscribe Desigo Pxc00-u Firmware Subscribe Desigo Pxc001-e.d Subscribe Desigo Pxc001-e.d Firmware Subscribe Desigo Pxc12-e.d Subscribe Desigo Pxc12-e.d Firmware Subscribe Desigo Pxc22-e.d Subscribe Desigo Pxc22-e.d Firmware Subscribe Desigo Pxc22.1-e.d Subscribe Desigo Pxc22.1-e.d Firmware Subscribe Desigo Pxc36.1-e.d Subscribe Desigo Pxc36.1-e.d Firmware Subscribe Desigo Pxc Firmware Subscribe Desigo Pxm20 Subscribe Desigo Pxm20 Firmware Subscribe Desigopxc100-e.d Subscribe Desigopxc100-e.d Firmware Subscribe Desigopxc128-u Subscribe Desigopxc128-u Firmware Subscribe Desigopxc200-e.d Subscribe Desigopxc200-e.d Firmware Subscribe Desigopxc50-e.d Subscribe Desigopxc50-e.d Firmware Subscribe Desigopxc64-u Subscribe Desigopxc64-u Firmware Subscribe Desigopxm20-e Subscribe Desigopxm20-e Firmware Subscribe Nucleus Net Subscribe Nucleus Readystart Subscribe Nucleus Rtos Subscribe Nucleus Safetycert Subscribe Nucleus Source Code Subscribe Simotics Connect 400 Subscribe Simotics Connect 400 Firmware Subscribe Talon Tc Subscribe Talon Tc Firmware Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2019-5206	A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-162506.html
https://cert-portal.siemens.com/productcert/html/ssa-434032.html
https://cert-portal.siemens.com/productcert/pdf/ssa-162506.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06

History

Tue, 10 Jun 2025 15:30:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.	A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}`

Tue, 11 Mar 2025 10:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2020-01-16T15:35:24.000Z

Updated: 2025-06-10T15:17:09.328Z

Reserved: 2019-07-18T00:00:00.000Z

Link: CVE-2019-13939

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-01-16T16:15:16.277

Modified: 2025-06-10T16:15:33.853

Link: CVE-2019-13939

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object