CVE-2019-13939 [High] | Input Validation Bypass in Capital Vstar

A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8.2 < V2.8.19), Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Desigo PXC00-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC100-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC12-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC50-E.D (All versions >= V2.3 < V6.0.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3 < V6.0.327), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.34%	0.71%	+0.37%
2	2025-11-21	0.15%	0.34%	+0.19%
3	2025-11-18	—	0.15%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.34%

0.71%

+0.37%

2025-11-21

0.15%

0.34%

+0.19%

2025-11-18

—

0.15%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.1	4.0	HIGH	`CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X` Click to expand Attack vector (AV:A) Attacker has to be on an adjacent/local network segment. Attack complexity (AC:L) Exploitation conditions are straightforward and stable. Attack requirements (AT:N) No additional preconditions are required beyond normal reachability. Privileges required (PR:N) No privileges are required. User interaction (UI:N) No user interaction is required. Vulnerable system confidentiality impact (VC:N) No confidentiality impact on the vulnerable system. Vulnerable system integrity impact (VI:L) Limited integrity impact on the vulnerable system. Vulnerable system availability impact (VA:H) High availability impact on the vulnerable system. Subsequent system confidentiality impact (SC:N) No confidentiality impact on subsequent systems. Subsequent system integrity impact (SI:N) No integrity impact on subsequent systems. Subsequent system availability impact (SA:N) No availability impact on subsequent systems. Exploit maturity (threat) (E:X) Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked). Confidentiality requirement (CR:X) Not defined: insufficient information; scoring treats this like High (worst case). Integrity requirement (IR:X) Not defined: insufficient information; scoring treats this like High (worst case). Availability requirement (AR:X) Not defined: insufficient information; scoring treats this like High (worst case). Modified attack vector (MAV:X) Not defined: scoring uses the Base Attack Vector (AV). Modified attack complexity (MAC:X) Not defined: scoring uses the Base Attack Complexity (AC). Modified attack requirements (MAT:X) Not defined: scoring uses the Base Attack Requirements (AT). Modified privileges required (MPR:X) Not defined: scoring uses the Base Privileges Required (PR). Modified user interaction (MUI:X) Not defined: scoring uses the Base User Interaction (UI). Modified vulnerable system confidentiality impact (MVC:X) Not defined: scoring uses the Base VC metric. Modified vulnerable system integrity impact (MVI:X) Not defined: scoring uses the Base VI metric. Modified vulnerable system availability impact (MVA:X) Not defined: scoring uses the Base VA metric. Modified subsequent system confidentiality impact (MSC:X) Not defined: scoring uses the Base SC metric. Modified subsequent system integrity impact (MSI:X) Not defined: scoring uses the Base SI metric. Modified subsequent system availability impact (MSA:X) Not defined: scoring uses the Base SA metric. Safety (supplemental) (S:X) Not evaluated. Automatable (supplemental) (AU:X) Not evaluated. Recovery (supplemental) (R:X) Not evaluated. Value density (supplemental) (V:X) Not evaluated. Vulnerability response effort (supplemental) (RE:X) Not evaluated. Provider urgency (supplemental) (U:X) Not evaluated.	—	—	[email protected]
7.1	3.1	HIGH	`CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	4.2	[email protected]
7.1	3.1	HIGH	`CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	4.2	[email protected]
4.8	2.0	MEDIUM	`AV:A/AC:L/Au:N/C:N/I:P/A:P` Click to expand Access vector (AV:A) Requires access to an adjacent network segment. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	6.5	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.1

4.0

HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Click to expand

Attack vector (AV:A): Attacker has to be on an adjacent/local network segment.
Attack complexity (AC:L): Exploitation conditions are straightforward and stable.
Attack requirements (AT:N): No additional preconditions are required beyond normal reachability.
Privileges required (PR:N): No privileges are required.
User interaction (UI:N): No user interaction is required.
Vulnerable system confidentiality impact (VC:N): No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L): Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H): High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N): No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N): No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N): No availability impact on subsequent systems.
Exploit maturity (threat) (E:X): Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked).
Confidentiality requirement (CR:X): Not defined: insufficient information; scoring treats this like High (worst case).
Integrity requirement (IR:X): Not defined: insufficient information; scoring treats this like High (worst case).
Availability requirement (AR:X): Not defined: insufficient information; scoring treats this like High (worst case).
Modified attack vector (MAV:X): Not defined: scoring uses the Base Attack Vector (AV).
Modified attack complexity (MAC:X): Not defined: scoring uses the Base Attack Complexity (AC).
Modified attack requirements (MAT:X): Not defined: scoring uses the Base Attack Requirements (AT).
Modified privileges required (MPR:X): Not defined: scoring uses the Base Privileges Required (PR).
Modified user interaction (MUI:X): Not defined: scoring uses the Base User Interaction (UI).
Modified vulnerable system confidentiality impact (MVC:X): Not defined: scoring uses the Base VC metric.
Modified vulnerable system integrity impact (MVI:X): Not defined: scoring uses the Base VI metric.
Modified vulnerable system availability impact (MVA:X): Not defined: scoring uses the Base VA metric.
Modified subsequent system confidentiality impact (MSC:X): Not defined: scoring uses the Base SC metric.
Modified subsequent system integrity impact (MSI:X): Not defined: scoring uses the Base SI metric.
Modified subsequent system availability impact (MSA:X): Not defined: scoring uses the Base SA metric.
Safety (supplemental) (S:X): Not evaluated.
Automatable (supplemental) (AU:X): Not evaluated.
Recovery (supplemental) (R:X): Not evaluated.
Value density (supplemental) (V:X): Not evaluated.
Vulnerability response effort (supplemental) (RE:X): Not evaluated.
Provider urgency (supplemental) (U:X): Not evaluated.

—

[email protected]

7.1

3.1

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

4.2

[email protected]

7.1

3.1

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

4.2

[email protected]

4.8

2.0

MEDIUM

AV:A/AC:L/Au:N/C:N/I:P/A:P Click to expand

Access vector (AV:A): Requires access to an adjacent network segment.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

6.5

4.9

[email protected]

Affected software / configurations for CVE-2019-13939

Vendor	Product	Version	Raw CPE
siemens	capital_vstar	—	cpe:2.3:a:siemens:capital_vstar::::::::
siemens	nucleus_net	—	cpe:2.3:a:siemens:nucleus_net::::::::
siemens	nucleus_readystart	< 2017.02.2	cpe:2.3:a:siemens:nucleus_readystart::::::::
siemens	nucleus_safetycert	—	cpe:2.3:a:siemens:nucleus_safetycert::::::::
siemens	nucleus_source_code	—	cpe:2.3:a:siemens:nucleus_source_code::::::::
siemens	nucleus_rtos	—	cpe:2.3:o:siemens:nucleus_rtos::::::::
siemens	apogee_modular_equiment_controller_firmware	< 2.8.2	cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware::::::::
siemens	apogee_modular_building_controller_firmware	< 2.8.2	cpe:2.3:o:siemens:apogee_modular_building_controller_firmware::::::::
siemens	apogee_pxc_firmware	<= 2.8.2	cpe:2.3:o:siemens:apogee_pxc_firmware::::::::
siemens	desigo_pxc_firmware	>= 2.3	cpe:2.3:o:siemens:desigo_pxc_firmware::::::::
siemens	desigo_pxm20_firmware	>= 2.3	cpe:2.3:o:siemens:desigo_pxm20_firmware::::::::
siemens	simotics_connect_400_firmware	<= 0.3.0.95	cpe:2.3:o:siemens:simotics_connect_400_firmware::::::::
siemens	talon_tc_firmware	>= 3.0	cpe:2.3:o:siemens:talon_tc_firmware::::::::
siemens	desigo_pxc00-e.d_firmware	>= 2.3.0, < 6.00.327	cpe:2.3:o:siemens:desigo_pxc00-e.d_firmware::::::::
siemens	desigo_pxc00-u_firmware	>= 2.3.0, < 6.00.327	cpe:2.3:o:siemens:desigo_pxc00-u_firmware::::::::
siemens	desigo_pxc001-e.d_firmware	>= 2.3.0, < 6.00.327	cpe:2.3:o:siemens:desigo_pxc001-e.d_firmware::::::::
siemens	desigo_pxc12-e.d_firmware	>= 2.3.0, < 6.00.327	cpe:2.3:o:siemens:desigo_pxc12-e.d_firmware::::::::
siemens	desigo_pxc22-e.d_firmware	>= 2.3.0, < 6.00.327	cpe:2.3:o:siemens:desigo_pxc22-e.d_firmware::::::::
siemens	desigo_pxc22.1-e.d_firmware	>= 2.3.0, < 6.00.327	cpe:2.3:o:siemens:desigo_pxc22.1-e.d_firmware::::::::
siemens	desigo_pxc36.1-e.d_firmware	>= 2.3.0, < 6.00.327	cpe:2.3:o:siemens:desigo_pxc36.1-e.d_firmware::::::::
siemens	desigopxc50-e.d_firmware	—	cpe:2.3:o:siemens:desigopxc50-e.d_firmware:-:::::::*
siemens	desigopxc64-u_firmware	—	cpe:2.3:o:siemens:desigopxc64-u_firmware:-:::::::*
siemens	desigopxc100-e.d_firmware	—	cpe:2.3:o:siemens:desigopxc100-e.d_firmware:-:::::::*
siemens	desigopxc128-u_firmware	—	cpe:2.3:o:siemens:desigopxc128-u_firmware:-:::::::*
siemens	desigopxc200-e.d_firmware	—	cpe:2.3:o:siemens:desigopxc200-e.d_firmware:-:::::::*
siemens	desigopxm20-e_firmware	—	cpe:2.3:o:siemens:desigopxm20-e_firmware:-:::::::*

References for CVE-2019-13939

URL	Tags
https://cert-portal.siemens.com/productcert/html/ssa-162506.html
https://cert-portal.siemens.com/productcert/html/ssa-434032.html
https://cert-portal.siemens.com/productcert/pdf/ssa-162506.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf	Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06	Third Party Advisory US Government Resource

URL

CVE-2019-13939

Exploit prediction scoring system (EPSS) score for CVE-2019-13939

Common vulnerability scoring system (CVSS) metrics for CVE-2019-13939

Weakness enumeration for CVE-2019-13939

Affected software / configurations for CVE-2019-13939

References for CVE-2019-13939