Executive Summary

CVE-2024-4367 is a type confusion flaw in the PDF.js rendering library bundled with Siemens Teamcenter, where a missing check on the fontMatrix field allows arbitrary JavaScript execution the moment a malicious PDF is opened in the client. In a product lifecycle management context this is not a browser nuisance, it is code execution inside the system that holds the engineering drawings, bills of material, and change records that define how a plant is built and modified.

Technical Exposure Breakdown

The root cause sits in the PDF.js font handling path. When a document supplies a fontMatrix value that is not numeric, the library concatenates the attacker controlled value directly into a string that is later evaluated. There is no type validation before that value crosses into an execution boundary, which is the definition of a type confusion condition. The result is JavaScript running in the security context of the rendering component.

Teamcenter embeds this rendering path in Active Workspace and related viewer functionality. Affected versions include Teamcenter V2312 prior to 2312.0009 and 2312.0014, and V2406 prior to 2406.0012, with related identifiers CVE-2026-33862 and CVE-2026-33893 tracked in the same advisory set. The attack vector is a document, not a network probe. A user opens a supplied part specification, vendor datasheet, or revision markup, and the payload fires. The CVSS score of 8.8 reflects the low barrier: user interaction is required but the privileges needed by the attacker are minimal, and the payload delivery mechanism is a file format that moves through engineering teams constantly.

This vulnerability is not KEV flagged at the time of writing, but the PDF.js class of bug has public proof of concept code, and the exploitation logic is trivial to reproduce. Do not treat the absence of a known exploited vulnerability catalog entry as evidence of low risk.

OT Impact and Compliance Risk

Teamcenter is rarely thought of as an OT asset, and that is exactly the blind spot. It sits at the boundary between engineering IT and the operational environment. The design files, control logic references, P&ID diagrams, and equipment configurations that flow through Teamcenter feed directly into what gets deployed on the plant floor. Execution inside that system means an attacker can alter, exfiltrate, or corrupt the authoritative source of engineering truth. A tampered revision that reaches a controls integrator is a physical safety problem, not a data problem.

For IEC 62443 environments this cuts across zone and conduit assumptions. Teamcenter usually lives in a higher trust engineering zone that has write access to lower zones through the change management pipeline. That trust relationship is what makes execution here valuable to an adversary. Under NERC CIP, the drawings and configurations governed by Teamcenter often qualify as BES Cyber System Information, so integrity and confidentiality loss maps to CIP-011 obligations. For water utilities under AWIA 2018 and pipeline operators under TSA SD-02C, the engineering document repository is part of the critical cyber system inventory and its compromise undermines the risk and resilience assessment those programs require.

Compensating Controls

Patching is the endpoint, but Teamcenter upgrades are slow because they touch integrations and validated workflows. Do not wait for a clean maintenance window without interim controls in place.

Note that active scanning against Teamcenter server infrastructure integrated with OT change management can disrupt in flight transactions. Validate any assessment tooling against a staging instance first rather than probing production repositories.

BreachSpider Intel

BreachSpider tracks CVE-2024-4367 and the associated Teamcenter advisory set with continuous monitoring for exploitation signals and version exposure across OT connected engineering environments.