CVE-2019-13939
Description
A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A DHCP client input validation vulnerability in Nucleus RTOS allows an adjacent attacker to change a device's IP address, impacting availability and integrity.
Vulnerability
The vulnerability exists in the DHCP implementation of the networking component (Nucleus NET) within the Nucleus Real-Time Operating System (RTOS) [1]. By sending specially crafted DHCP packets to a device with DHCP client enabled, an attacker can change the IP address to an invalid value [1][2]. Affected products include numerous Siemens building automation and industrial devices such as APOGEE MEC/MBC/PXC (P2) (versions < V2.8.2), APOGEE PXC Compact (BACnet) (versions < V3.5.3), Desigo PXC series (multiple versions), SIMOTICS CONNECT 400 (< V0.3.0.330), and others listed in the advisory [1][2].
Exploitation
An attacker must be on the same adjacent network as the target device to send malicious DHCP packets [2]. No authentication is required, and the skill level is low [2]. The attacker crafts DHCP responses that cause the device to adopt an invalid IP address, disrupting network connectivity.
Impact
Successful exploitation results in the device obtaining an invalid IP address, leading to loss of network connectivity. This affects the availability of the device and could allow the attacker to make further configuration changes [2]. The integrity of the device's network configuration is compromised.
Mitigation
Siemens has released updates for some products: APOGEE MEC/MBC/PXC (P2) update to V2.8.2; APOGEE PXC Compact (BACnet) and TALON TC Compact (BACnet) update to V3.5.3; APOGEE PXC Compact (P2 Ethernet) and Modular (P2 Ethernet) update to V2.8.19; Desigo PXC series update to V6.00.327; SIMOTICS CONNECT 400 update to V0.3.0.330 [1]. For products where no fix is available, Siemens recommends network segmentation and disabling DHCP client if not required [1]. Capital Embedded AR Classic 431-422 has no fix planned [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
29- Range: < V2.8.2
- Range: < V0.3.0.330
- Range: All versions < V2.8.2
- Siemens/APOGEE PXC Compact (BACnet)v5Range: 0
- Siemens/APOGEE PXC Compact (P2 Ethernet)v5Range: V2.8.2
- Siemens/APOGEE PXC Modular (BACnet)v5Range: 0
- Siemens/APOGEE PXC Modular (P2 Ethernet)v5Range: V2.8.2
- Siemens/Capital Embedded AR Classic 431-422v5Range: 0
- Siemens/Capital Embedded AR Classic R20-11v5Range: 0
- Siemens/Desigo PXC001-E.Dv5Range: V2.3
- Siemens/Desigo PXC00-E.Dv5Range: V2.3
- Siemens/Desigo PXC00-Uv5Range: All versions >= V2.3x and < V6.00.327
- Siemens/Desigo PXC100-E.Dv5Range: V2.3
- Siemens/Desigo PXC128-Uv5Range: All versions >= V2.3x and < V6.00.327
- Siemens/Desigo PXC12-E.Dv5Range: V2.3
- Siemens/Desigo PXC200-E.Dv5Range: V2.3
- Siemens/Desigo PXC22.1-E.Dv5Range: V2.3
- Siemens/Desigo PXC22-E.Dv5Range: V2.3
- Siemens/Desigo PXC36.1-E.Dv5Range: V2.3
- Siemens/Desigo PXC50-E.Dv5Range: V2.3
- Siemens/Desigo PXC64-Uv5Range: All versions >= V2.3x and < V6.00.327
- Siemens/Desigo PXM20-Ev5Range: V2.3
- Siemens/Nucleus NETv5Range: 0
- Siemens/Nucleus ReadyStart V3v5Range: 0
- Siemens/Nucleus Source Codev5Range: 0
- Siemens/SIMOTICS CONNECT 400v5Range: All versions < V0.3.0.330
- Siemens/TALON TC Compact (BACnet)v5Range: 0
- Siemens/TALON TC Modular (BACnet)v5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- cert-portal.siemens.com/productcert/pdf/ssa-162506.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-434032.pdfmitrex_refsource_MISC
- us-cert.cisa.gov/ics/advisories/icsa-20-105-06mitrex_refsource_MISC
- cert-portal.siemens.com/productcert/html/ssa-162506.htmlmitre
- cert-portal.siemens.com/productcert/html/ssa-434032.htmlmitre
News mentions
0No linked articles in our index yet.