CVE-2017-9946 in APOGEE PXC
Summary
by MITRE
A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication and download sensitive information from the device.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability CVE-2017-9946 represents a critical authentication bypass flaw in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers across all firmware versions prior to V3.5. This weakness resides within the integrated web server component that operates on standard HTTP and HTTPS ports 80 and 443 respectively. The flaw allows unauthenticated attackers who can reach the device over the network to gain unauthorized access to sensitive system information that should otherwise be protected by proper authentication mechanisms. This vulnerability directly impacts the security posture of industrial automation environments where these controllers are deployed, potentially exposing critical operational data to malicious actors.
The technical root cause of this vulnerability stems from inadequate input validation and authentication checks within the web server implementation. Specifically, the controller's web interface fails to properly enforce authentication requirements for certain endpoints, allowing attackers to access protected resources without providing valid credentials. This represents a classic weakness categorized under CWE-287 which deals with improper authentication in software systems. The flaw essentially creates a backdoor path through which unauthorized parties can bypass the normal authentication workflow and directly access sensitive information stored within the device's memory or configuration files.
From an operational perspective, the impact of this vulnerability extends beyond simple information disclosure to potentially enable more sophisticated attacks within industrial control systems. An attacker who successfully exploits this vulnerability could obtain configuration data, user credentials, system logs, and other sensitive information that could be leveraged for further attacks. This information could reveal network topology details, system configurations, or even operational parameters that could be used to craft more targeted attacks against the broader industrial network infrastructure. The vulnerability particularly affects environments where these controllers are used in critical infrastructure applications where unauthorized access could lead to operational disruptions or safety hazards.
The security implications of this vulnerability align with ATT&CK technique T1071.004 which covers application layer protocol: web protocols, and T1083 which involves file and directory discovery. Organizations should immediately implement network segmentation to isolate these controllers from general network access and ensure that only authorized personnel can reach the web interfaces on ports 80 and 443. The recommended mitigation involves upgrading all affected devices to firmware version V3.5 or later, which contains the necessary authentication fixes. Additionally, implementing network monitoring to detect unusual access patterns to these web interfaces and establishing proper access controls through firewalls and access control lists will help reduce the attack surface. Regular security assessments of industrial control systems should include verification of authentication mechanisms and proper credential management to prevent similar vulnerabilities from being introduced in future deployments.