CVE-2019-13939

A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

CVSS v3 7.1 HIGH
CVSS v2.0 4.8 MEDIUM

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

4.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:A/AC:L/Au:N/C:N/I:P/A:P

Exploitability : 6.5 / Impact : 4.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-162506.html
https://cert-portal.siemens.com/productcert/html/ssa-434032.html
https://cert-portal.siemens.com/productcert/pdf/ssa-162506.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf	Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06	Third Party Advisory US Government Resource
https://cert-portal.siemens.com/productcert/html/ssa-162506.html
https://cert-portal.siemens.com/productcert/html/ssa-434032.html
https://cert-portal.siemens.com/productcert/pdf/ssa-162506.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf	Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:capital_vstar::::::::
	cpe:2.3:a:siemens:nucleus_net::::::::
	cpe:2.3:a:siemens:nucleus_readystart::::::::
	cpe:2.3:a:siemens:nucleus_safetycert::::::::
	cpe:2.3:a:siemens:nucleus_source_code::::::::
	cpe:2.3:o:siemens:nucleus_rtos::::::::

Configuration 2 (hide)

AND

cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_modular_equiment_controller:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:siemens:apogee_pxc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:apogee_pxc:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:siemens:desigo_pxm20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxm20:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:siemens:simotics_connect_400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simotics_connect_400:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:siemens:talon_tc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:talon_tc:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc00-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc00-e.d:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc00-u_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc00-u:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc001-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc001-e.d:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc12-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc12-e.d:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc22-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc22-e.d:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc22.1-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc22.1-e.d:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:siemens:desigo_pxc36.1-e.d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigo_pxc36.1-e.d:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:siemens:desigopxc50-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc50-e.d:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:siemens:desigopxc64-u_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc64-u:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:siemens:desigopxc100-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc100-e.d:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:siemens:desigopxc128-u_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc128-u:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:siemens:desigopxc200-e.d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxc200-e.d:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:siemens:desigopxm20-e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:siemens:desigopxm20-e:-:*:*:*:*:*:*:*

History

10 Jun 2025, 16:15

Type	Values Removed	Values Added
Summary	(en) A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.	(en) A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

Information

Published : 2020-01-16 16:15

Updated : 2025-06-10 16:15

NVD link : CVE-2019-13939

Mitre link : CVE-2019-13939

CVE.ORG link : CVE-2019-13939

JSON object : View

Products Affected

siemens

desigopxc64-u_firmware
apogee_modular_building_controller
talon_tc
apogee_pxc
desigopxm20-e_firmware
desigo_pxc12-e.d_firmware
desigo_pxc36.1-e.d
nucleus_source_code
desigo_pxm20_firmware
nucleus_readystart
talon_tc_firmware
desigopxm20-e
desigo_pxc12-e.d
desigo_pxc22.1-e.d
desigopxc50-e.d
desigo_pxc
desigo_pxc001-e.d_firmware
desigopxc128-u
nucleus_net
apogee_modular_building_controller_firmware
desigopxc50-e.d_firmware
desigo_pxc00-u
apogee_modular_equiment_controller
simotics_connect_400_firmware
desigo_pxc22-e.d_firmware
desigo_pxc22-e.d
capital_vstar
desigo_pxc00-e.d
nucleus_rtos
desigopxc100-e.d
desigo_pxc_firmware
desigo_pxc00-u_firmware
desigo_pxc001-e.d
apogee_modular_equiment_controller_firmware
apogee_pxc_firmware
desigo_pxc22.1-e.d_firmware
desigo_pxm20
desigopxc100-e.d_firmware
desigopxc200-e.d
desigo_pxc36.1-e.d_firmware
desigopxc64-u
desigopxc128-u_firmware
desigopxc200-e.d_firmware
nucleus_safetycert
simotics_connect_400
desigo_pxc00-e.d_firmware

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

7.1 /10

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

4.8 /10

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2019-13939

7.1^/10

4.8^/10

Attach tags to `CVE-2019-13939`