Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities (Update C)

Act NowCVSS 9.8ICS-CERT ICSA-16-208-01CApr 29, 2016

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple versions of Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional contain an input validation vulnerability (CWE-20) that allows unauthenticated remote attackers to execute arbitrary code or commands on affected HMI/SCADA servers. The vulnerability affects WinCC 7.0 SP2 through 7.4, all versions of PCS 7 that incorporate vulnerable WinCC versions, and WinCC Runtime Professional up to version 13 SP1 Update 8. Exploitation requires only network access to the WinCC server and no valid credentials.

What this means

What could happen

An unauthenticated attacker on the network could exploit input validation flaws in WinCC to execute arbitrary code or commands on the HMI/SCADA servers, potentially allowing them to manipulate process setpoints, shut down operations, or exfiltrate production data.

Who's at risk

This affects operators of Siemens process control systems, particularly in water treatment, wastewater, chemical production, and power generation plants. Any facility using WinCC as an HMI or PCS 7 for SCADA control should assess their exposure. Engineering teams managing the setup and operators monitoring plant status are directly impacted if systems become compromised.

How it could be exploited

An attacker sends a specially crafted request over the network to a WinCC interface (port 102, 502, or web interface). The server accepts the malformed input without proper validation and executes embedded commands. This could allow the attacker to interact directly with industrial processes through the compromised HMI or gain access to connected PLCs and control systems.

Prerequisites

Network access to the WinCC server (typically ports 102, 502, or 4840 for OPC)
No authentication required (critical vulnerability)
WinCC process must be running and reachable from attacker's network segment

remotely exploitableno authentication requiredlow complexityhigh EPSS score (17.8%)no patch available for affected versionsaffects safety-critical SCADA systems

Exploitability

Likely to be exploited — EPSS score 17.8%

Affected products (10)

10 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC 7.0 SP2: <Update_12<Update 12No fix (EOL)

SIMATIC WinCC 7.0 SP3: <Update_8<Update 8No fix (EOL)

SIMATIC WinCC 7.2: <Update_13<Update 13No fix (EOL)

SIMATIC WinCC 7.3: <Update_10<Update 10No fix (EOL)

SIMATIC WinCC 7.4: <Update_1<Update 1No fix (EOL)

SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7): <V7.1_SP4_with_WinCC_V7.0_SP2_Update_12<V7.1 SP4 with WinCC V7.0 SP2 Update 12No fix (EOL)

SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7): <V8.0_SP2_with_WinCC_V7.2_Update_13<V8.0 SP2 with WinCC V7.2 Update 13No fix (EOL)

SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7): <8.1_SP1_with_WinCC_V7.3_Update_10<8.1 SP1 with WinCC V7.3 Update 10No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDImmediately restrict network access to WinCC servers using firewall rules. Limit communication to only trusted engineering workstations and control networks. Block access from untrusted subnets.

WORKAROUNDDisable or isolate the affected WinCC interface ports if not actively used in your process control workflow.

HARDENINGMonitor network connections to WinCC servers for suspicious activity. Log and alert on unexpected inbound connections.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Siemens Support to request an available patch, security update, or newer version that addresses CWE-20 input validation issues. Update to the latest WinCC version available for your platform.

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIMATIC WinCC 7.0 SP2: <Update_12, SIMATIC WinCC 7.0 SP3: <Update_8, SIMATIC WinCC 7.2: <Update_13, SIMATIC WinCC 7.3: <Update_10, SIMATIC WinCC 7.4: <Update_1, SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7): <V7.1_SP4_with_WinCC_V7.0_SP2_Update_12, SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7): <V8.0_SP2_with_WinCC_V7.2_Update_13, SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7): <8.1_SP1_with_WinCC_V7.3_Update_10, SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7): <8.2_with_WinCC_V7.4_Update_1, SIMATIC WinCC Runtime Professional: <V13_SP_1_Update_9. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate SCADA/HMI systems from corporate IT and external networks using demilitarized zones (DMZ) or dedicated control network architecture.

HARDENINGEvaluate migration to a more recent version of WinCC or PCS 7 platform to move away from end-of-support versions.

CVEs (2)

CVE-2016-5743 CVE-2016-5744

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/78e1452c-3179-4394-93d9-34941a356079

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.