Siemens has released a security update for its COMOS engineering platform that squashes two high-severity vulnerabilities, one rated a critical 9.3 on the CVSS scale. The flaws — in a JavaScript compiler and a SQL client library — could let attackers execute arbitrary code on engineering workstations or intercept sensitive database credentials in industrial facilities. Every organization running COMOS versions older than 10.4.5 needs to patch immediately, according to the official advisory SSA-682326.
The Vulnerabilities: Code Execution and Credential Interception
The advisory, first published by Siemens ProductCERT and echoed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), bundles two distinct but equally dangerous bugs that crept into COMOS through third-party components.
CVE-2023-45133 – Babel Compiler Code Execution
A flaw in the widely used Babel JavaScript compiler (specifically the @babel/traverse package) allows an attacker who can feed malicious code into the compilation process to run arbitrary commands. In COMOS, this affects installations where the COMOS Web component is deployed. If a build pipeline or developer tool compiles untrusted JavaScript — perhaps imported from a configuration file or external source — the exploit triggers when certain plugins call path.evaluate() or path.evaluateTruthy(). The CVSS score sits at a dire 9.3, reflecting a low-complexity attack that can lead to full system compromise. Siemens says updating COMOS to version 10.4.5 eliminates the risky Babel dependency.
CVE-2024-0056 – SQL Client Security Feature Bypass
The second vulnerability lives in the Microsoft.Data.SqlClient and System.Data.SqlClient libraries that COMOS uses for database connections. An adversary positioned for a man-in-the-middle (AiTM) attack could weaken encryption or swipe authentication material during the SQL handshake. This affects COMOS setups that rely on the Snapshots component. With a CVSS score of 8.7, the risk is especially acute in mixed IT/OT networks where maintenance channels or VPNs might not be fully hardened. The fix updates the SQL client libraries to patched versions that enforce proper encryption and block credential leaks.
Both vulnerabilities have no known public exploits yet, Siemens and CISA note, but the technical details are now public, making exploitation a matter of “when, not if” for unpatched systems.
Affected Product Versions at a Glance
| Component | CVE | CVSS 3.1 | Affected COMOS Versions |
|---|---|---|---|
| COMOS Web (Babel) | CVE-2023-45133 | 9.3 | All versions prior to 10.4.5 |
| COMOS Snapshots (SQL) | CVE-2024-0056 | 8.7 | All versions prior to 10.4.5 |
What This Means for Windows Administrators and OT Teams
If you oversee Windows environments that intersect with operational technology (OT), this advisory demands a swifter response than typical Patch Tuesday updates. COMOS is an engineering and lifecycle management platform deployed in critical manufacturing, energy, and process industries — where an attacker gaining code execution could pivot from an engineering PC to safety controllers or production systems.
For IT Admins Supporting OT
The SQL client bug is particularly worrying because many Windows-based engineering stations use the same .NET libraries for database access outside of COMOS. Even if you patched the standalone SQL client through Microsoft updates, a vulnerable COMOS installation reintroduces the old library. Check all COMOS instances and confirm they’re on 10.4.5; the installer replaces the faulty DLLs. Further, because COMOS often runs on Windows Server or Windows 10/11 workstations, the attack surface is a familiar one — yet the stakes are far higher when a production line depends on that machine.
For Process Engineers and Plant Operators
The Babel vulnerability might seem abstract, but the real-world risk hits when you import project configurations or run custom scripts in COMOS. Until you patch, treat every external file as potentially hostile. The advisory’s advice to “only compile trusted code” is hard to guarantee in practice — an infected USB drive or a malicious email attachment forwarded to an engineering PC can become the entry point. Patching removes the underlying weakness.
Why the Babel Bug Matters in OT Contexts
Babel is a cornerstone of modern JavaScript tooling, and its presence inside an industrial application illustrates a mounting supply-chain challenge. The vulnerable path.evaluate methods are called by common plugins like @babel/plugin-transform-runtime and @babel/preset-env when useBuiltIns is enabled. If COMOS or any connected tooling processes user-supplied JavaScript — perhaps for custom calculations or import/export converters — the door is open. Because OT networks are often flat, code execution on a single COMOS workstation could let an adversary pivot to historians, HMIs, or PLC programming software.
The SQL Risk for Windows Admin Teams
CVE-2024-0056 weakens an encryption layer that many assume is rock-solid. In a typical IT environment, AiTM attacks on SQL traffic are hard to pull off, but within a plant network, an attacker who compromises a switch or a poorly configured VPN concentrator might silently capture credentials. Those credentials frequently have elevated access to configuration databases that store recipes, setpoints, and even safety parameters. The fix from Microsoft exists for standalone clients, but because COMOS bundles the vulnerable library, every unpatched COMOS node is a potential leak.
How We Got Here: COMOS, Third-Party Code, and the OT Exposure Gap
COMOS has long been a staple in heavy industry, with versions dating back over a decade. Like many legacy platforms, it bundles a vast array of third-party libraries to handle everything from UI rendering to database connectivity. When vulnerabilities surface in those components, Siemens must test and issue integrated patches — a process that can lag behind the upstream fixes by months.
This isn’t the first COMOS alert. Over 2023–2025, Siemens and CISA published multiple advisories for COMOS, covering XML external entity (XXE) attacks, memory corruption in Open Design Alliance SDKs, and other flaws. The recurring theme? External libraries bringing enterprise-IT risks into the OT realm. Meanwhile, CISA’s policy change in January 2023 shifted the burden to vendors: CISA now only republishes the initial advisory, leaving Siemens ProductCERT as the authoritative source for updates. That makes direct, continuous monitoring of Siemens’ security page essential — something many understaffed OT teams struggle to maintain.
The Babel bug (CVE-2023-45133) was fixed in the JavaScript ecosystem as early as October 2023 with @babel/traverse 7.23.2. Yet it took until now for Siemens to integrate that fix into a full COMOS release, illustrating the patching latency endemic to industrial software. The SQL client issue (CVE-2024-0056) is even more recent; Microsoft patched its libraries through .NET updates earlier this year, but COMOS’s embedded use case meant an independent release was needed. For Windows-centric organizations, the lag means a double patching burden: apply the Siemens update and confirm that standalone .NET applications are also remediated.
What to Do Now: A Practical Remediation Roadmap
Step 1: Identify Every COMOS Instance
Within the next 72 hours, locate all COMOS servers and engineering workstations. Note their exact version and build number — anything below 10.4.5 is vulnerable. Document whether COMOS Web or Snapshots components are active; each maps to a specific CVE. If you can’t patch immediately, at least isolate these systems from the wider network.
Step 2: Deploy the Siemens Update
Download and install COMOS 10.4.5 from Siemens’ support portal. This is the only guaranteed way to fix both CVEs simultaneously. After installation:
- Check the file version of Microsoft.Data.SqlClient.dll and System.Data.SqlClient.dll (for the SQL fix).
- Verify that the installed Babel packages — look for @babel/traverse in the COMOS Web directory — are version 7.23.2 or higher.
- If you use COMOS in high-availability setups, plan a coordinated maintenance window to avoid downtime.
Step 3: Harden the Surrounding Environment
While patching is the silver bullet, add these layers immediately:
- Network isolation: Put COMOS servers on a dedicated OT VLAN with no internet access. Use firewalls to block all inbound traffic except from explicitly trusted management IPs.
- Secure remote access: If remote maintenance is unavoidable, enforce VPN with multi-factor authentication, limit jump-host access, and log all sessions.
- File import hygiene: Disable automatic loading of external configuration files in COMOS until the patch is applied. After patching, still sanitize XML and JSON inputs to avoid future XXE or injection tricks.
- Build environment lockdown: If your team compiles custom JavaScript or uses COMOS scripting features, upgrade local Babel tooling to version 7.23.2 or higher, and audit any third-party plugins that could reintroduce the vulnerable evaluation paths.
Step 4: Update Standalone SQL Clients
Even outside COMOS, ensure your .NET applications use the fixed Microsoft.Data.SqlClient (2.1.7+, 3.1.5+, 4.0.5+, 5.1.3+) or System.Data.SqlClient (4.8.6+). Microsoft’s published updates via Windows Update and NuGet should be applied everywhere COMOS’s database client might be present or mirrored.
Step 5: Monitor for Exploit Attempts
Deploy endpoint detection rules to catch:
- Unexpected calls to node.exe or other JavaScript engines by COMOS-related processes.
- Abnormal file reads from COMOS directories, especially of XML files or outside expected paths.
- Anomalous SQL traffic: TLS downgrades, unusual handshake patterns, or connections to unknown endpoints.
Set up alerts and have your incident response team ready to isolate a suspected compromised host. Siemens’ advisory includes specific indicators for both CVEs; integrate those into your SIEM.
Outlook: Expect More Supply-Chain Shocks in OT
This advisory is a harbinger. As industrial software incorporates more open-source and commercial components, the attack surface will keep expanding. Siemens deserves credit for consolidating these fixes into one patch, but the gap between upstream component fixes and integrated OT updates remains a chronic vulnerability. Organizations must adopt proactive supply-chain governance: demand SBOMs from vendors, run dependency scanners on OT software (where permissible), and budget for regular, tested patch rollouts — not just when an advisory hits.
For Windows-centric shops that bridge IT and OT, the lesson is clear: OT security isn’t a separate world. The same Babel bug that threatens a web developer’s CI/CD pipeline now threatens a petrochemical plant. Patch COMOS now, and start treating your industrial applications with the same security rigor you’d apply to your email server.