Siemens, through ProductCERT advisory SSA-827383, has disclosed three vulnerabilities affecting its Teamcenter product lifecycle management (PLM) platform. The advisory carries an aggregated CVSS v3.1 base score of 7.5 and a CVSS v4.0 base score of 8.7, reflecting the combination of a hardcoded cryptographic keys flaw, a stored cross-site scripting weakness, and a previously disclosed PDF.js vulnerability that is reachable through Teamcenter's web client. The individual issues are tracked as CVE-2024-4367 (CVSS v3.1 5.6), CVE-2026-33862 (CVSS v3.1 7.3 / v4.0 8.5), and CVE-2026-33893 (CVSS v3.1 7.5 / v4.0 8.7), and Siemens published patched releases for every supported branch on May 12, 2026.
Technically, CVE-2024-4367 is a missing type-check in the PDF.js JavaScript renderer that allows an attacker to embed arbitrary JavaScript inside a maliciously crafted PDF font definition; when a Teamcenter user opens the document through the affected web client, that JavaScript executes in the browser context already authenticated to the PLM application. CVE-2026-33862 is an improper-encoding flaw in the Teamcenter web layer that enables stored or reflected cross-site scripting against authenticated sessions, providing a parallel path to credential theft and unauthorized data access. CVE-2026-33893 stems from cryptographic keys hardcoded inside the application binaries; recovery of those keys by any party with access to a Teamcenter installation media or unpatched binary enables unauthorized access to data protected by those keys across every customer deployment of the same release branch. No active exploitation of the Teamcenter-specific CVEs is documented at the time of publication, but public proof-of-concept exploits for CVE-2024-4367 have circulated since 2024 and lower the practical barrier to weaponization.
Because Teamcenter sits at the center of design, engineering change management, bill-of-materials, and document-control workflows in aerospace, automotive, defense, energy, and process-industry enterprises, the business risk is substantial even though the platform is not itself an industrial control system. Successful exploitation can expose proprietary CAD models, manufacturing instructions, engineering change orders, supplier configurations, and certification records, and can place trusted attacker-controlled content into the engineering supply chain that feeds OT shops and EPC contractors. Operators should treat the May 12, 2026 patches as priority remediations and apply the configuration mitigations published by Siemens for any deployment that cannot be updated immediately.
CVE-2024-4367, with a CVSS v3.1 score of 5.6, is a missing type-check vulnerability in the PDF.js library bundled with the affected Teamcenter releases that allows an attacker to embed and execute arbitrary JavaScript by malforming a font definition inside a PDF document. When an authenticated Teamcenter user opens the malicious PDF through the web client, the embedded JavaScript runs in the browser's session context, providing the attacker with a foothold to exfiltrate session tokens, issue PLM API calls on behalf of the user, or pivot into adjacent web applications served from the same origin. The vulnerability has been publicly known since 2024 and multiple proof-of-concept exploits are available, which materially lowers the effort required to weaponize the issue against an unpatched Teamcenter user base. Siemens has remediated the issue by upgrading the bundled PDF.js engine in Teamcenter V2312.0009, V2406.0006, V2412.0009, and V2506.0005, and Teamcenter V2512 is unaffected.
CVE-2026-33862, with a CVSS v3.1 score of 7.3 and a CVSS v4.0 score of 8.5, is an improper-encoding vulnerability in the Teamcenter web layer that fails to properly encode or filter user-supplied data before rendering it back into the application interface. The condition enables cross-site scripting attacks in which an authenticated attacker stores malicious script content that later executes in the browsers of other users (including privileged administrators) who view the affected pages or items, or in which a malicious link triggers the script directly against the recipient. Successful exploitation provides the attacker with session hijack, privilege escalation through stolen administrative sessions, and the ability to issue unauthorized changes to engineering records or workflow approvals. Siemens has remediated the issue in Teamcenter V2312.0014, V2406.0012, V2412.0009, and V2506.0005.
CVE-2026-33893, with a CVSS v3.1 score of 7.5 and a CVSS v4.0 score of 8.7, is a use of hardcoded cryptographic keys inside the Teamcenter application binaries. Because the same keys are embedded in every customer installation of an affected release, any party with access to vulnerable installation media or to a recovered binary can extract the keys and use them to decrypt, sign, or otherwise tamper with data that the application relies on those keys to protect, across every customer running the same release. The flaw is particularly impactful for organizations sharing engineering data with external EPC contractors, suppliers, and partners, where the binaries are likely to be present on machines outside the operator's direct administrative control. Siemens has remediated the issue in Teamcenter V2312.0014, V2406.0012, V2412.0009, and V2506.0005, and the new releases use deployment-specific key material.
Operationally, an unmitigated Teamcenter deployment carrying these three CVEs presents a layered exposure surface that touches every engineering, change-management, and document-control workflow the platform supports. An attacker who weaponizes CVE-2024-4367 or CVE-2026-33862 against a single privileged user can leverage that foothold to exfiltrate proprietary engineering content, alter bill-of-materials records, approve unauthorized engineering change orders, or inject malicious instructions into the engineering data that downstream EPC, OT, and manufacturing teams treat as authoritative. The cryptographic key compromise described in CVE-2026-33893 expands the blast radius beyond any single installation, because data protected by the static keys can in principle be processed by an attacker outside the operator's environment whenever they obtain a copy of that data. The Teamcenter platform itself is not an industrial control system, but it sits at the boundary between corporate engineering networks and OT shops, and a compromise can therefore translate into supply-chain risk for the physical product.
From a compliance and regulatory perspective, organizations subject to NIST SP 800-171 and CMMC for protected manufacturing information, the EU NIS2 Directive for entities providing critical products and services, ITAR and EAR controls on export-controlled engineering data, the IEC 62443 family for industrial automation lifecycle assurance, and customer-specific contractual data-protection clauses should treat these vulnerabilities as priority remediations. Each CVE plausibly enables unauthorized disclosure of controlled technical data or tampering with engineering records that would constitute a reportable event under at least one applicable framework, and the hardcoded-key issue specifically requires a documented analysis of which deployments hold data still protected only by the legacy keys. Operators should also evaluate whether any third-party assessments, supplier audits, or certification artifacts require re-issue under deployment-specific key material once the patched releases are in place.
The following actions should be performed in priority order to reduce exposure to the three CVEs disclosed in SSA-827383 across every Siemens Teamcenter deployment. The patched releases supersede the configuration mitigations below for environments where the upgrade can be completed within the operator's change-management window.
1. Update each Teamcenter installation to the patched release for its supported branch: V2312 to V2312.0014, V2406 to V2406.0012, V2412 to V2412.0009, and V2506 to V2506.0005; instances already on V2512 are unaffected, and any deployment running an older, unsupported branch should be migrated onto a supported and patched branch as part of the same change.
2. Until the upgrade can be applied, restrict access to the Teamcenter web client to authenticated users on trusted internal networks only, place the web tier behind a web application firewall configured to block the published PDF.js exploit patterns and common cross-site-scripting payload shapes, and disable the in-browser PDF rendering capability for any user group that does not require it.
3. Rotate any externally exchanged keys, tokens, or signed artifacts that may have been protected by the hardcoded keys disclosed in CVE-2026-33893, treat any data that was encrypted or signed by the static keys as potentially compromised, and re-issue or re-sign that material using deployment-specific keys produced by the patched release.
4. Force a password reset for all interactive Teamcenter accounts after the upgrade and review session-management and single-sign-on integration logs for the period from May 12, 2026 (the public disclosure date) through the date of patching, prioritizing accounts that opened PDF attachments through the web client or that interacted with externally submitted documents in that window.
5. Audit Teamcenter administrator and workflow-approver accounts for unexpected delegation, role grants, or workflow rule changes during the same period, validate the integrity of any engineering change orders or bill-of-materials records that were modified during the window, and confirm with downstream EPC, OT, and supplier consumers that the engineering data they received during that window remains authoritative.
Until the patched releases are deployed and the post-patch audit is complete, these compensating controls represent the operative protection against the disclosed vulnerabilities.
1898 & Co. has reviewed Siemens ProductCERT advisory SSA-827383, the Mozilla and PDF.js documentation associated with CVE-2024-4367, and the public proof-of-concept tooling that has circulated for the PDF.js issue since 2024, and has classified the aggregated advisory as High severity given the combination of authenticated cross-site scripting, browser-context JavaScript execution, and a cross-customer cryptographic key compromise in a platform that holds engineering intellectual property and authoritative product data. The firm is actively coordinating with managed-security and managed-detection clients whose architectures include Teamcenter deployments.
1898 & Co. recommends that affected clients immediately inventory every Teamcenter installation, identify the release branch and current minor version for each one, and schedule the upgrade to the patched release published by Siemens on May 12, 2026 inside an expedited change window. Clients enrolled in managed threat hunting will receive a parallel hunt-plan deliverable derived from this advisory covering PDF.js exploit reception via Teamcenter, cross-site scripting against the Teamcenter web tier, and detection of any data signed or encrypted with the legacy hardcoded keys. Hunt coverage is being staged across CrowdStrike Falcon, Datadog log management, Wireshark and tcpdump network captures, Windows event analysis, and any OT monitoring platforms operating between the engineering network and the downstream industrial network.
For sites where Teamcenter exchanges engineering data with external EPC contractors, suppliers, or fabrication partners, 1898 & Co. is offering targeted compromise assessments that include a forensic review of recent PDF imports and document submissions, an audit of recent administrative role grants and workflow-rule changes, validation of integrity for engineering change orders processed during the disclosure-to-patch window, and a re-issue plan for any externally exchanged artifact protected by the legacy keys. Clients should contact their 1898 & Co. account team or the incident response hotline to initiate any of these engagements, prioritize patch deployment windows, or request assistance interpreting findings from the accompanying threat hunt plan.
1. Siemens ProductCERT Security Advisory SSA-827383 — Multiple Vulnerabilities in Teamcenter