Desigo CC SQL Injection via Event Port: Unauth Remote Code Exec
CVE-2024-23815 Published on May 13, 2025
A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp)
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2024-23815
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-23815 are published in Siemens Desigo Cc:
Affected Versions
Siemens Desigo CC:- Before * is affected.
- Before * is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.