OTPulse
FeedAboutContact

Siemens WinCC Insecure SQL Server Authentication

Low RiskICS-CERT ICSA-12-205-01Apr 26, 2012
Summary

SIMATIC WinCC and PCS 7 contain insecure SQL Server authentication mechanisms. The vulnerability allows unauthorized access to the backend SQL Server database through hardcoded or default credentials. This could enable an attacker to read, modify, or delete process data, configurations, alarms, and historical logs without proper authentication. Affected versions: WinCC prior to V7.0_SP2_Update_1_V_7.0.2.1 and PCS 7 prior to V7.1_SP2.

What this means
What could happen
An attacker with network access to the SQL Server backend could use hardcoded or default credentials to gain unauthorized access to the WinCC or PCS 7 database, potentially allowing them to read, modify, or delete critical process configuration and historical data.
Who's at risk
Water and electric utilities, wastewater treatment facilities, and other process industries operating Siemens WinCC or PCS 7 SCADA systems. Specifically, anyone using these platforms for supervisory control, data logging, and recipe/alarm management should be aware of the database authentication weakness.
How it could be exploited
An attacker identifies the SQL Server instance supporting WinCC or PCS 7 on the network, discovers or guesses the hardcoded/default database credentials embedded in the application, and connects directly to the database to execute unauthorized queries or commands.
Prerequisites
  • Network access to the SQL Server port (default 1433)
  • Knowledge of or ability to discover hardcoded/default database credentials
  • SQL Server instance must be accessible from attacker's network position (often internal/OT network)
Default credentialsNo authentication required for database backendNo patch available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SIMATIC WinCC: <V7.0_SP2_Update_1_V_7.0.2.1<V7.0 SP2 Update 1 V 7.0.2.1No fix (EOL)
SIMATIC PCS 7: <V7.1_SP2<V7.1 SP2No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict network access to the SQL Server instance to only authorized WinCC/PCS 7 clients and engineering workstations using firewall rules or network segmentation
WORKAROUNDChange default SQL Server credentials to strong, unique values; document and restrict credential access to authorized personnel only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement SQL Server authentication using Windows domain accounts instead of SQL authentication where possible
HARDENINGMonitor SQL Server logs for unauthorized connection attempts and database access patterns
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: SIMATIC WinCC: <V7.0_SP2_Update_1_V_7.0.2.1, SIMATIC PCS 7: <V7.1_SP2. Apply the following compensating controls:
HARDENINGIsolate the WinCC/PCS 7 system and its SQL Server backend on a dedicated OT network segment with strict ingress/egress controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1346c6ad-340c-43be-98d6-b0b22338c093
Siemens WinCC Insecure SQL Server Authentication - OTPulse