Siemens SIMATIC WinCC (Update E)

Act Now9.9ICS-CERT ICSA-21-315-03Nov 9, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in SIMATIC WinCC and related Siemens control system products allow authenticated users to escalate privileges and read, write, or delete critical files. The vulnerabilities reside in a shared component called SIMATIC Communication Services (SCS). Vulnerable versions include SIMATIC WinCC v7.4 through v17, SIMATIC PCS 7 v8.2 through v9.1, OpenPCS 7 v8.2 and v9.0, SIMATIC BATCH v8.2/v9.0/v9.1, SIMATIC NET PC Software v14-v17, and SIMATIC Route Control v8.2/v9.0/v9.1. Installing a patched version of any product also removes the vulnerability from other products on the same system due to the shared component. Several products are end-of-life and will not receive patches.

What this means

What could happen

An attacker with valid credentials could escalate privileges and read, write, or delete critical system files on SIMATIC WinCC servers and PCS 7 control systems. This could allow modification of process parameters, loss of operational visibility, or disruption of industrial processes.

Who's at risk

Process control system operators and integrators using SIMATIC WinCC (versions 7.4, 7.5, 15, 16, 17) and SIMATIC PCS 7 (versions 8.2, 9.0, 9.1) for batch processing, chemical manufacturing, discrete manufacturing, or other supervisory control. Also affects OpenPCS 7, SIMATIC BATCH, SIMATIC NET PC Software, and SIMATIC Route Control on the same systems. The vulnerability requires valid credentials but could be leveraged by disgruntled plant staff or accessed through compromised engineering workstations.

How it could be exploited

An attacker with network access and valid credentials for the SIMATIC WinCC or PCS 7 system could exploit path traversal and information disclosure vulnerabilities in a shared component (SIMATIC Communication Services) to escalate privileges. Once escalated, they could access or modify critical system files that control process logic and configuration.

Prerequisites

Valid credentials for SIMATIC WinCC or PCS 7 system (local or remote user account)
Network access to the affected WinCC/PCS 7 server
System running a vulnerable version of the shared SIMATIC Communication Services component

Requires valid credentials but allows privilege escalationAffects high-impact process control systemsShared vulnerable component (SIMATIC Communication Services) affects multiple products on same systemSeveral versions have no patch availablePath traversal enables unauthorized file access

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (21)

13 with fix8 EOL

ProductAffected VersionsFix Status

SIMATIC PCS 7 V8.2All versions8.2 SP1

SIMATIC PCS 7 V9.0<V9.0 SP3 UC049.0 SP3 UC04

SIMATIC PCS 7 V9.1<V9.1 SP19.1 SP1

SIMATIC WinCC V15 and earlier<V15 SP1 Update 715 SP1 Update 7

SIMATIC WinCC V16<V16 Update 516 Update 5

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDDisable the WinCC web server or enable it only temporarily when needed

HARDENINGRestrict local system access to trusted personnel only through host-level access controls

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMATIC WinCC V7.4

HOTFIXUpdate SIMATIC WinCC v7.4 to SP1 Update 19 or later, and v7.5 to SP2 Update 5 or later

OpenPCS 7 V9.0

HOTFIXUpdate OpenPCS 7 v9.0 to version 9.0 Upd4 or later, or v9.1 to version 9.1 SP1 or later

SIMATIC NET PC Software V16

HOTFIXUpdate SIMATIC NET PC Software v16 to Update 6 or later, and v17 to SP1 or later

All products

HOTFIXUpdate SIMATIC WinCC to version 15 SP1 Update 7 or later (v15 and earlier), version 16 Update 5 or later (v16), or version 17 Update 2 or later (v17)

HOTFIXUpdate SIMATIC PCS 7 to version 8.2 SP1 or later (v8.2), version 9.0 SP3 UC04 or later (v9.0), or version 9.1 SP1 or later (v9.1)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: OpenPCS 7 V8.2, OpenPCS 7 V9.1, SIMATIC BATCH V8.2, SIMATIC NET PC Software V14, SIMATIC NET PC Software V15, SIMATIC Route Control V8.2, SIMATIC Route Control V9.0, SIMATIC BATCH V9.0. Apply the following compensating controls:

HARDENINGIsolate SIMATIC WinCC and PCS 7 systems from direct internet exposure using network segmentation and firewall rules

CVEs (3)

CVE-2021-40358 CVE-2021-40359 CVE-2021-40364

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a8da5b5a-62d4-4d71-bf5e-bc5bbf372e90