Siemens patched a deserialization vulnerability in its Simatic Energy Manager in April 2022, attributing the flaw to using a programming method with known security risks. The flaw, tracked as CVE-2022-23450, could lead to remote code execution, affecting industrial settings' energy consumption monitoring software. The vulnerability involved the software using the
NET BinaryFormatter class, which Microsoft had cautioned against due to deserialization risks with untrusted input. Exploiting the flaw could enable attackers to execute code remotely, without needing to bypass authentication checks. Any Siemens customer running a version below V.73 Update 1 remains vulnerable, with a CVSS score of 10. Researchers at Claroty discovered the flaw and highlighted the risks associated with deserialization vulnerabilities, despite their relatively dated nature. ```https://www.bankinfosecurity.com/patched-deserialization-flaw-in-siemens-product-allows-rce-a-24980