Siemens SIMATIC, SINAMICS, SINEC, SINEMA, SINUMERIK (Update J)
Plan Patch8.8ICS-CERT ICSA-20-161-04Jun 9, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
This advisory addresses a local privilege escalation vulnerability present in multiple Siemens industrial automation products. An attacker with a standard user account on an affected engineering workstation or software controller can exploit the flaw to gain SYSTEM-level privileges and execute arbitrary code. The vulnerability does not require special credentials, specific product configuration, or complex technical knowledge to exploit. Affected products include SIMATIC STEP 7 (TIA Portal) versions 13–16, SIMATIC WinCC (Runtime Professional and Runtime Advanced versions 13–16, OA v3.16–v3.17, and v7.4–v7.5), SINUMERIK Operate and ONE virtual, SINAMICS Startdrive and STARTER, SIMATIC NET PC Software (v14, v16; no fix planned for v15), SIMATIC PCS neo, SIMATIC Automation Tool, SIMATIC ProSave, SIMATIC S7-1500 Software Controller, SINEC NMS, and SINEMA Server. Siemens has released patches for most products. Workarounds include removing suspicious executables and disabling the TraceConceptX service.
What this means
What could happen
A local attacker with regular user credentials on engineering workstations running Siemens automation software could escalate their privileges to SYSTEM level and execute arbitrary code, potentially allowing them to modify control logic, alter process parameters, or sabotage plant operations.
Who's at risk
Manufacturing facilities using Siemens automation and control engineering software should assess their exposure. This primarily affects organizations running SIMATIC STEP 7 (TIA Portal), WinCC, SINUMERIK, SINAMICS, SINETICS, SINEMA, or related products on engineering workstations. Users deploying CNC machines, motor drives, PLCs, and SCADA/HMI systems should prioritize patching immediately, especially if those engineering workstations have local users with lower privilege levels.
How it could be exploited
An attacker with local user access to a Siemens engineering workstation (e.g., SIMATIC STEP 7, WinCC, SINUMERIK, SINETICS) exploits a privilege escalation flaw to run arbitrary code with SYSTEM privileges. This could be used to modify PLC programs, SCADA configurations, or operator interfaces without authorization. The attack requires physical or network-based local access—not remote exploitation.
Prerequisites
- Local user account on an affected Siemens engineering workstation or control system PC
- One or more affected products installed (STEP 7 TIA Portal, WinCC, SINUMERIK, SINETICS, or related tools)
- No special configuration required; flaw present in default installations
Local privilege escalation—not remotely exploitableAffects widely deployed Siemens engineering platformsDefault installations are vulnerable—no special configuration requiredNo patch available for SIMATIC NET PC Software V15Could enable modification of PLC programs and control system logic
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (27)
26 with fix1 pending
ProductAffected VersionsFix Status
SINEMA Server<V14 SP314 SP3
SINUMERIK ONE virtual<V6.146.14
SINUMERIK Operate<V6.146.14
SIMATIC Automation Tool<V4 SP24 SP2
SIMATIC NET PC Software V14<V14 SP1 Update 1414 SP1 Update 14
Remediation & Mitigation
0/31
Do now
0/2WORKAROUNDRemove executable files from C:\Program.exe, C:\Program Files\Common.exe, and C:\Program Files\Common Files\Siemens\Automation\Simatic.exe
WORKAROUNDDisable Windows service TraceConceptX as a temporary workaround (accept loss of tracing functionality)
Schedule — requires maintenance window
0/26Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 (TIA Portal) V13
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V13 to SP2 Update 4 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V14 to SP1 Update 10 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V15 to 15.1 Update 5 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V16 to Update 2 or later
SIMATIC STEP 7 V5
HOTFIXUpdate SIMATIC STEP 7 V5 to 5.6 SP2 HF3 or later
SIMATIC WinCC Runtime Professional V13
HOTFIXUpdate SIMATIC WinCC Runtime Professional V13 to SP2 Update 4 or later
SIMATIC WinCC Runtime Professional V14
HOTFIXUpdate SIMATIC WinCC Runtime Professional V14 to SP1 Update 10 or later
SIMATIC WinCC Runtime Professional V15
HOTFIXUpdate SIMATIC WinCC Runtime Professional V15 to 15.1 Update 5 or later
SIMATIC WinCC Runtime Professional V16
HOTFIXUpdate SIMATIC WinCC Runtime Professional V16 to Update 2 or later
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to V16 Update 2 or later
SIMATIC WinCC V7.4
HOTFIXUpdate SIMATIC WinCC V7.4 to SP1 Update 14 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP1 Update 3 or later
SIMATIC WinCC OA V3.16
HOTFIXUpdate SIMATIC WinCC OA V3.16 to P018 or later
SIMATIC WinCC OA V3.17
HOTFIXUpdate SIMATIC WinCC OA V3.17 to P003 or later
SINUMERIK Operate
HOTFIXUpdate SINUMERIK Operate to V6.14 or later
SINUMERIK ONE virtual
HOTFIXUpdate SINUMERIK ONE virtual to V6.14 or later
SINAMICS Startdrive
HOTFIXUpdate SINAMICS Startdrive to V16 Update 3 or later
SINAMICS STARTER
HOTFIXUpdate SINAMICS STARTER to V5.4 HF2 or later
SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software V14 to SP1 Update 14 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software V16 to Update 3 or later
SIMATIC PCS neo
HOTFIXUpdate SIMATIC PCS neo to V3.0 SP1 or later
SIMATIC Automation Tool
HOTFIXUpdate SIMATIC Automation Tool to V4 SP2 or later
SIMATIC ProSave
HOTFIXUpdate SIMATIC ProSave to V17 or later
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to V21.8 or later
SINEC NMS
HOTFIXUpdate SINEC NMS to V1.0 SP2 or later
SINEMA Server
HOTFIXUpdate SINEMA Server to V14 SP3 or later
Long-term hardening
0/3HARDENINGRestrict physical and network access to engineering workstations; limit local user account creation on automation systems
HARDENINGImplement network segmentation to isolate engineering workstations from untrusted networks
HARDENINGFollow Siemens operational guidelines for Industrial Security and apply defense-in-depth strategies
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/75128572-21f9-42d5-8d1a-f3616f201bd9