OTPulse
FeedAboutContact

Siemens SIMATIC ProSave, SIMATIC CFC, SIMATIC STEP 7, SIMOTION Scout, and STARTER Insufficiently Qualified Paths (Update A)

Low RiskICS-CERT ICSA-15-064-02ADec 6, 2015
Summary

Siemens SIMATIC ProSave, SIMATIC CFC, SIMATIC STEP 7, SIMOTION Scout, and STARTER contain insufficiently qualified paths (CWE-426), which may allow local attackers to gain elevated privileges or bypass security controls if they can place malicious files in accessible directories during software installation or execution. The vulnerability affects multiple versions across these engineering and development software suites.

What this means
What could happen
An attacker with local access to an engineering workstation could inject malicious code into the software supply chain or escalate privileges to modify control system configurations, potentially affecting PLC logic, process parameters, or HMI settings across connected industrial systems.
Who's at risk
Operators of water utilities, municipal electric systems, chemical facilities, and other critical infrastructure that use Siemens engineering workstations to configure or maintain SIMATIC S7 PLCs, safety systems (SIMOTION), and distributed control systems (PCS 7). Any organization relying on these tools to develop or modify control logic is at risk if engineering workstations are not properly isolated from untrusted network access.
How it could be exploited
An attacker with local or network access to an engineering workstation running affected Siemens software could plant a malicious library or executable in an insufficiently protected directory path. When the application or Windows searches for dependencies, it loads the attacker's code instead of the legitimate component, executing with the application's privileges and potentially allowing modification of control logic or engineering projects before deployment to PLCs and process control systems.
Prerequisites
  • Local or network access to an engineering workstation running affected Siemens software
  • Ability to write files to shared drives or directories in the application search path
  • Windows environment without strict file permission controls or DLL search order enforcement
No patch available for most affected versionsAffects engineering workstations which are supply-chain sensitiveLow technical complexity attack requiring file system write accessCould enable supply-chain compromise of control system projectsMultiple Siemens product lines affected
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (15)
10 with fix2 pending3 EOL
ProductAffected VersionsFix Status
SIMATIC ProSave: <V13_SP1<V13 SP1No fix (EOL)
CFC V8.0 SP4: <V8.0_SP4_Upd_9<V8.0 SP4 Upd 9No fix yet
STEP 7 V5.5 SP1: <V5.5_SP1_HF2<V5.5 SP1 HF2No fix yet
SIMOTION Scout: <V4.4<V4.4V4.4
STARTER: <V4.4_HF3<V4.4 HF3V4.4_HF3
SIMATIC CFC: <V8.0_SP4<V8.0 SP4V8.0_SP4_Upd_9
CFC V8.1: <V8.1_Upd1<V8.1 Upd1V8.1_Upd1
PCS 7 with STEP 7 CFC V8.1 Upd1: <V8.1<V8.1V8.1_Upd1
Remediation & Mitigation
0/6
Do now
0/2
HARDENINGIsolate engineering workstations from general-purpose networks and untrusted users. Restrict network access to these machines to only necessary engineering tools and PLC communication.
WORKAROUNDDisable or remove unnecessary shared library paths and startup directories from application search order. Document and restrict which directories each application is allowed to load code from.
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HARDENINGApply Windows hardening: enforce DLL search order settings (KnownDLLs registry), remove '.' (current directory) from PATH, and require administrators to explicitly manage shared drive permissions to prevent unauthorized file writes to application directories.
HARDENINGImplement file integrity monitoring on engineering workstations to detect unauthorized modifications to Siemens application directories, library paths, and project files.
HARDENINGReview and audit local file permissions on shared drives and application installation directories. Ensure only authorized engineering staff and system accounts can write to these locations.
HOTFIXKeep affected Siemens software fully patched where updates are available (STEP 7 V5.5 SP1 HF2, SP2 HF7, SP4 HF4; CFC V8.0 SP4 Upd 9, V8.1 Upd1; STARTER V4.4 HF3; SIMOTION Scout V4.4; ProSave V13 SP1). For versions with no fix available, enforce compensating controls.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/beb83789-163a-4db7-a8f0-2d4d90b725d1
Siemens SIMATIC ProSave, SIMATIC CFC, SIMATIC STEP 7, SIMOTION Scout, and STARTER Insufficiently Qualified Paths (Update A) - OTPulse