Siemens TIA Administrator (Update A)

Plan Patch7.8ICS-CERT ICSA-21-040-05Feb 9, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A privilege escalation vulnerability exists in TIA Administrator (deployed with TIA Portal and PCS neo) that allows local users with limited privileges to escalate to SYSTEM-level access and execute arbitrary code. The vulnerability affects TIA Portal versions 15, 15.1, and 16, and PCS neo Administration Console versions prior to v3.1. An attacker with local login access to an engineering workstation could exploit this flaw to modify PLC programs, engineering configurations, or interact with connected control systems without proper authorization. No known public exploits exist, and the vulnerability is not remotely exploitable.

What this means

What could happen

A local user with limited privileges on an engineering workstation running TIA Administrator could escalate to SYSTEM-level access and execute arbitrary commands, potentially allowing them to alter PLC programs or process parameters without authorization.

Who's at risk

Engineering teams and system integrators managing Siemens control systems should care about this. It affects engineering workstations running TIA Portal (versions 15, 15.1, or 16) with TIA Administrator, and PCS neo Administration Console installations. Any facility where engineers need local workstation access—water treatment plants, power distribution systems, manufacturing plants—is in scope.

How it could be exploited

An attacker with local access to an engineering workstation running TIA Administrator logs in with a low-privilege user account. The attacker exploits a privilege escalation flaw to gain SYSTEM-level access on that workstation. From there, the attacker can modify PLC programs, engineering configurations, or run commands to interact with connected control systems.

Prerequisites

Local login access to the engineering workstation running TIA Administrator
Low-privilege user account on that workstation
TIA Administrator versions 15, 15.1, or 16 (or PCS neo Administration Console <v3.1)

Local access required (but workstations are often shared or accessible to contractors)Low attack complexity once local access is gainedSYSTEM-level code execution after privilege escalationTIA Portal versions 15, 15.1, and 16 have no patch available—upgrade requiredAffects engineering and configuration of safety-critical systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

PCS neo (Administration Console)<V3.13.1

TIA Portal15|15.1|16No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict local access to engineering workstations to authorized users only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

PCS neo (Administration Console)

HOTFIXUpdate PCS neo Administration Console to v3.1 or later version

All products

HOTFIXUpdate TIA Administrator to v1.0 SP2 Upd2 or later version

HARDENINGApply Siemens industrial security measures as described in SIMATIC PCS neo documentation

Mitigations - no patch available

0/1

TIA Portal has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate engineering workstations from general IT network

CVEs (1)

CVE-2020-25238

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/318d765b-67bf-4a64-b441-98451558d59f