Siemens SIMATIC WinCC
Plan Patch7.8ICS-CERT ICSA-22-132-06May 10, 2022
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in SIMATIC WinCC allows authenticated attackers with local access to escape Kiosk Mode, which is a restricted operating mode designed to limit user capabilities on HMI workstations. The vulnerability affects SIMATIC PCS 7 versions 8.2, 9.0, and 9.1; SIMATIC WinCC Runtime Professional versions 16 and 17; and SIMATIC WinCC versions 7.3, 7.4, and 7.5. Kiosk Mode escape could allow an attacker to access the full WinCC interface, potentially enabling unauthorized control of connected industrial processes.
What this means
What could happen
An authenticated attacker with local access to a WinCC HMI workstation could break out of Kiosk Mode and gain access to the full WinCC engineering interface, potentially allowing them to view sensitive process data, modify alarms and setpoints, or alter operator screens. This could disrupt normal operations or enable sabotage of critical processes like water treatment or power distribution.
Who's at risk
This affects water utilities, electric utilities, and other facilities running Siemens SCADA systems. Specifically, organizations using SIMATIC WinCC as their human-machine interface (HMI) for process monitoring and control, including WinCC Runtime Professional and PCS 7 control systems, should review their deployed versions. Primary concern is for systems where Kiosk Mode is used to restrict operator access on public-facing or multi-user HMI terminals.
How it could be exploited
An attacker must first gain local access to the HMI workstation (physical access or remote desktop/terminal session). Once logged in as an authenticated user, they can exploit the Kiosk Mode escape vulnerability to break out of the restricted operating mode and access the full WinCC interface without requiring additional credentials. The attack does not work remotely over the network.
Prerequisites
- Local or console access to the WinCC HMI workstation
- Valid user credentials to log into the system (may be default or low-privilege operator account)
- WinCC running in Kiosk Mode
Authenticated access required (local user on workstation)Low complexity exploitAffects safety and control system interfacesPartial product lines have no patch availableKiosk Mode is commonly used in public or multi-user environments
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (8)
5 with fix3 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.0<V9.0 SP3 UC069.0 SP3 UC06
SIMATIC PCS 7 V9.1<V9.1 SP1 UC019.1 SP1 UC01
SIMATIC WinCC Runtime Professional V17<V17 Upd417 Upd4
SIMATIC WinCC V7.4<V7.4 SP1 Update 217.4 SP1 Update 21
SIMATIC WinCC V7.5<V7.5 SP2 Update 87.5 SP2 Update 8
SIMATIC PCS 7 V8.2All versionsNo fix (EOL)
SIMATIC WinCC Runtime Professional V16 and earlierAll versionsNo fix (EOL)
SIMATIC WinCC V7.3All versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/2WORKAROUNDEnsure at least one physical default printer (not file-based like PDF/XPS) is installed on systems running WinCC
WORKAROUNDDisable or remove all file-based printers (PDF, XPS) from affected WinCC systems
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SIMATIC PCS 7 V9.0
HOTFIXUpdate SIMATIC PCS 7 v9.0 to SP3 UC06 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 v9.1 to SP1 UC01 or later
SIMATIC WinCC Runtime Professional V17
HOTFIXUpdate SIMATIC WinCC Runtime Professional v17 to Update 4 or later
SIMATIC WinCC V7.4
HOTFIXUpdate SIMATIC WinCC v7.4 to SP1 Update 21 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC v7.5 to SP2 Update 8 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC PCS 7 V8.2, SIMATIC WinCC Runtime Professional V16 and earlier, SIMATIC WinCC V7.3. Apply the following compensating controls:
HARDENINGRestrict local access to HMI workstations to authorized personnel only; use physical security, locked server rooms, or access logs to prevent unauthorized local access
HARDENINGImplement network segmentation to isolate HMI workstations from untrusted network segments and limit remote desktop/terminal access to designated administrative staff
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ef2a7235-78ad-4e85-9394-0051d082f8fb