CVE-2017-9947

MEDIUM

Siemens APOGEE PXC and TALON TC BACnet Automation Controllers <V3.5 - Path Traversal via Web Server

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9947. PoCs published by RoseSecurity.

AI-analyzed exploit summary This repository contains a Python script and Metasploit module that exploit CVE-2017-9947, an authentication bypass and path traversal vulnerability in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers. The scripts fetch the hidden FieldPanel.xml file to extract sensitive configuration details.

Description

A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices.

Exploits (1)

nomisec WORKING POC 50 stars

by RoseSecurity · poc

https://github.com/RoseSecurity/APOLOGEE

View Code ZIP pw:eip

This repository contains a Python script and Metasploit module that exploit CVE-2017-9947, an authentication bypass and path traversal vulnerability in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers. The scripts fetch the hidden FieldPanel.xml file to extract sensitive configuration details.

Classification

Working Poc 95%

Attack Type

Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Siemens APOGEE PXC BACnet Automation Controllers (all versions prior to V3.5) and TALON TC BACnet Automation Controllers (all versions prior to V3.5)

No auth needed

Prerequisites: Network access to the target device on ports 80/TCP or 443/TCP

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry

http://www.securityfocus.com/bid/101248

Broken Link, Vendor Advisory

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-148078.pdf

Vendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-148078.pdf

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/169544/Siemens-APOGEE-PXC-TALON-TC-Authentication-Bypass.html

Various Sources

https://packetstorm.news/files/id/169544

Scores

CVSS v3 5.3

EPSS 0.0728

EPSS Percentile 93.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22 CWE-538

Status published

Products (6)

None/APOGEE PXC and TALON TC BACnet Automation Controllers All versions <V3.5 APOGEE PXC and TALON TC BACnet Automation Controllers All versions <V3.5

n/a/APOGEE PXC and TALON TC BACnet Automation Controllers All versions <V3.5 APOGEE PXC and TALON TC BACnet Automation Controllers All versions <V3.5

siemens/apogee_pxc_firmware < 3.5

siemens/apogee_pxc_modular_firmware < 3.5

siemens/talon_tc_compact_firmware < 3.5

siemens/talon_tc_modular_firmware < 3.5

Published Oct 23, 2017

Tracked Since Feb 18, 2026