ICSA-19-134-08 Siemens SIMATIC PCS7, WinCC, TIA Portal (Update D)
Act Now9.1ICS-CERT ICSA-19-134-08May 14, 2019
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
Siemens SIMATIC PCS7, WinCC, and TIA Portal contain multiple vulnerabilities related to SQL injection (CWE-89), unsafe object deserialization (CWE-248), and unsafe deserialization of untrusted data (CWE-749). These vulnerabilities allow authenticated attackers with high-level privileges to inject malicious code through crafted project files or database queries. The vulnerabilities affect SIMATIC PCS7 v8.2 and earlier, SIMATIC WinCC v7.4 and earlier, SIMATIC WinCC (TIA Portal) v15 and earlier, and SIMATIC WinCC Runtime Professional v15 and earlier. Exploitation could result in arbitrary code execution on WinCC servers and PCS7 systems, potentially compromising process control, operator displays, alarm handling, and communication with field devices.
What this means
What could happen
An attacker with high-level access to WinCC or PCS7 engineering workstations could inject malicious code through SQL injection or unsafe file handling, allowing them to execute arbitrary commands on control system servers and alter process parameters, alarms, or operator displays across the entire facility.
Who's at risk
Water authorities, electric utilities, and other facilities using Siemens SIMATIC PCS7 (process control systems), WinCC (operator interfaces), or TIA Portal (engineering software) are affected. This includes HMI servers, engineering workstations, and any connected PLCs or remote terminal units (RTUs) that depend on these systems for control and monitoring. Organizations still running older versions (PCS7 v8.0 and earlier, WinCC v7.2 and earlier, or legacy TIA Portal v13) have no available patches and must rely entirely on compensating controls.
How it could be exploited
An attacker with engineering credentials or administrative access to a WinCC/PCS7 workstation could craft a malicious project file or database query that exploits SQL injection (CWE-89) or unsafe deserialization (CWE-248). When the file is opened or the query executed, the payload runs with the application's privileges, allowing command execution on the WinCC server or PCS7 system. This could then propagate to connected industrial devices depending on network architecture.
Prerequisites
- Administrator or engineering credentials on the WinCC or PCS7 workstation
- Ability to create or import project files into the application
- Access to the WinCC/PCS7 database or project file system
- Unencrypted communication enabled between workstation and control system server (default condition for older versions)
High privilege level required (engineering/admin credentials needed, limiting attack surface)Low technical complexity if attacker has credentialsAffects process control and HMI visibilityNo patch available for PCS7 v8.0 and earlier, WinCC v7.2 and earlier, or TIA Portal v13CVSS score of 9.1 (critical)SQL injection and unsafe deserialization vulnerabilities present
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (14)
14 pending
ProductAffected VersionsFix Status
SIMATIC PCS 7 V8.0 and earlierAll versionsNo fix yet
SIMATIC PCS 7 V8.1<V8.1 with WinCC V7.3 Upd 19No fix yet
SIMATIC PCS 7 V8.2<V8.2 SP1 with WinCC V7.4 SP1 Upd11No fix yet
SIMATIC PCS 7 V9.0<V9.0 SP2 with WinCC V7.4 SP1 Upd11No fix yet
SIMATIC WinCC (TIA Portal) V13All versionsNo fix yet
SIMATIC WinCC (TIA Portal) V14<V14 SP1 Upd 9No fix yet
SIMATIC WinCC (TIA Portal) V15<V15.1 Upd 3No fix yet
SIMATIC WinCC Runtime Professional V13All versionsNo fix yet
Remediation & Mitigation
0/14
Do now
0/2WORKAROUNDEnable encrypted communication in SIMATIC WinCC and SIMATIC PCS7 to prevent project file interception
WORKAROUNDRestrict project file imports to files from trusted, internal sources only; disable external file access or use code signing/integrity verification
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
SIMATIC WinCC (TIA Portal) V13
HOTFIXUpdate SIMATIC WinCC (TIA Portal v14) to v14 SP1 Upd 9
HOTFIXUpdate SIMATIC WinCC (TIA Portal v15) to v15.1 Upd 3
SIMATIC WinCC Runtime Professional V14
HOTFIXUpdate SIMATIC WinCC Runtime Professional v14 to v14.1 Upd 8
SIMATIC WinCC Runtime Professional V15
HOTFIXUpdate SIMATIC WinCC Runtime Professional v15 to v15.1 Upd 3
SIMATIC WinCC V7.3
HOTFIXUpdate SIMATIC WinCC v7.3 to v7.3 Upd 19
SIMATIC WinCC V7.4
HOTFIXUpdate SIMATIC WinCC v7.4 to v7.4 SP1 Upd 11
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC v7.5 to v7.5 Upd 3
All products
HOTFIXUpdate WinCC to v7.3 Upd 19 on SIMATIC PCS7 v8.1 systems
HOTFIXUpdate WinCC to v7.4 SP1 Upd 11 on SIMATIC PCS7 v8.2 and v9.0 systems
Long-term hardening
0/3HARDENINGSegment WinCC/PCS7 engineering workstations from the business network and restrict administrative access to authorized personnel only
HARDENINGImplement network firewalls to isolate control system networks from the internet and limit remote access through VPN with multi-factor authentication
HARDENINGApply defense-in-depth strategies including network segmentation, access controls, and continuous monitoring of WinCC/PCS7 systems
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/98804cbf-1ddc-4040-9084-0eadc5eadfd6