usd-2025-36 | Teamcenter 2312.8 - Hardcoded Secrets
Product: Teamcenter
Affected Version: 2312.8
Vulnerability Type: Use of Hard-coded Credentials (CWE-798)
Security Risk: CRITICAL
Vendor: Siemens
Vendor URL: https://plm.sw.siemens.com/de-DE/teamcenter/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2026-33893
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2026-33893
Advisory ID: usd-2025-36
Description
The application contains hardcoded secrets.
Examples for these secrets are authentication information, tokens, or keys.
They are typically used to authenticate the application to services or to create and validate signatures.
By storing the secrets inside the application itself, these could be revealed by an attacker disclosing the source code.
Furthermore, the use of hardcoded secrets increases the likelihood of them being reused in multiple environments, such as development and production.
This makes this information accessible to a larger number of people.
This is particularly serious because the secrets cannot be easily changed due to being stored in an inflexible way.
Proof of Concept
The Teamcenter FMS client cache (FCC) binary contains hardcoded secrets.
As the following output from the class PasswordTool shows, the function encrypt has two overloads, the first one taking the password and a secret key as parameters, the second one only taking the password.
In case the second overload is used, a hardcoded default key is utilized, which is also defined within the same class.
Note that the following code is a result of decompilation and the actual line numbers may vary.
Static key:
public final class PasswordTool { private static final byte[] DEFAULT_KEYBYTES = new byte[]{-42, 26, -38, 69, 11, 120, 123, 50, -74, -70, -8, 77, 91, 64, 63, 59}; private static final SecretKey DEFAULT_KEY = new SecretKeySpec(DEFAULT_KEYBYTES, "AES");
First function overload:
public static String encrypt(String password, SecretKey key) throws [...] { try { Base64 base64coder = new Base64(); Cipher cipher = Cipher.getInstance(key.getAlgorithm()); cipher.init(1, key); return new String(base64coder.encode(cipher.doFinal(password.getBytes("UTF-8"))), "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); return null; } }
Second function overload:
public static String encrypt(String password) throws [...] { return PasswordTool.encrypt(password, DEFAULT_KEY); }
In practice, it appears that the application actually uses the insecure encryption routine with the default key, such as in the class PerformanceMeasurementHandler, which actually seems to write the encrypted password into a file.
encryptedAuthCode = PasswordTool.encrypt((String)authString);
Fix
It is recommended to store secrets outside the source code in a strongly protected configuration file or database.
Different keys and tokens should be used for separate environments.
References
Timeline
- 2025-07-28: Vulnerabilities initially reported via Siemens' vulnerability handling and disclosure process.
- 2025-08-20: Siemens report that they could reproduce the findings and are working on a fix.
- 2026-05-12: Siemens releases a fix and publishes an advisory about the findings, see https://cert-portal.siemens.com/productcert/html/ssa-827383.html
- 2026-07-14: This advisory is published.
Credits
This security vulnerability was identified by Tim Wörner of usd AG.