Siemens WinCC 7.2 Multiple Vulnerabilities

Low RiskICS-CERT ICSA-13-169-02Mar 21, 2013

Summary

Siemens WinCC 7.2 and earlier, and SIMATIC PCS7 V8.0_SP1 and earlier, contain multiple vulnerabilities including SQL injection (CWE-89), hardcoded credentials (CWE-798), and untrusted search path (CWE-425). These issues could allow an attacker with local or network access to execute arbitrary code, bypass authentication, or gain unauthorized control of industrial processes.

What this means

What could happen

An attacker with access to the engineering workstation or network could exploit these vulnerabilities to run arbitrary commands on WinCC or PCS7 systems, potentially altering process control logic, modifying setpoints, or disrupting industrial operations. The hardcoded credentials vulnerability could allow complete system compromise without legitimate user credentials.

Who's at risk

Water utilities, electric utilities, and manufacturing plants using Siemens WinCC as their supervisory control system or SIMATIC PCS7 as their process control platform are affected. This includes facilities that rely on these systems for SCADA/HMI functions, recipe management, data logging, or process automation. Engineering workstations and HMI servers running these products are at direct risk.

How it could be exploited

An attacker could target SQL injection flaws to extract or modify data in the WinCC database, exploit hardcoded credentials embedded in the software to gain direct system access, or use the untrusted search path vulnerability to load malicious libraries. Network-based exploitation is possible if WinCC or PCS7 services are exposed; local exploitation requires access to the engineering workstation.

Prerequisites

Network access to WinCC or PCS7 services (if exposed)
Local access to engineering workstation running WinCC/PCS7
Knowledge of or ability to discover hardcoded default credentials
Ability to craft malicious SQL queries or library files

No patch availableHardcoded credentials in softwareSQL injection vulnerabilityUntrusted search path allows code loadingLow EPSS (0.4%) suggests exploit difficulty but multiple CWEs indicate serious design flaws

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

WinCC: <=7.2≤ 7.2No fix (EOL)

SIMATIC PCS7: <=V8.0_SP1≤ V8.0 SP1No fix (EOL)

Remediation & Mitigation

0/7

Do now

0/4

HARDENINGIsolate WinCC and PCS7 engineering workstations from the corporate network using air-gapping or a demilitarized zone (DMZ) with strict firewall rules allowing only necessary connections

HARDENINGImplement network segmentation to restrict access to WinCC/PCS7 systems to authorized personnel only; block external network access to these services

WORKAROUNDDisable or restrict remote access capabilities in WinCC and PCS7 unless absolutely required for business operations

WORKAROUNDChange or override any hardcoded default credentials through local configuration if the software allows; document the changes and restrict access to credential stores

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGApply input validation and output encoding at the application level to mitigate SQL injection risks where possible

HARDENINGMonitor WinCC and PCS7 systems for unusual database queries, failed authentication attempts, and unexpected process changes

Long-term hardening

0/1

HOTFIXPlan migration to newer, patched versions of WinCC (7.3 or later) and PCS7 (V8.1 or later) as part of a long-term system modernization effort

CVEs (3)

CVE-2013-3957 CVE-2013-3958 CVE-2013-3959

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aacda9f6-315c-4aed-ac18-9e271052f098