OTPulse
FeedAboutContact

Siemens WinCC OA

Act Now9.8ICS-CERT ICSA-22-172-06Jun 21, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMATIC WinCC OA implements client-side only authentication when server-side authentication (SSA) or Kerberos authentication is disabled. In this configuration, attackers can impersonate other users or access the client-server protocol without providing valid credentials. This is the default configuration in v3.16 and occurs in non-default configurations of v3.17 and v3.18. The vulnerability allows unauthenticated remote users to send arbitrary commands to the SCADA system.

What this means
What could happen
An attacker with network access to WinCC OA could impersonate legitimate users and send unauthorized commands to the SCADA system, potentially altering setpoints, stopping critical processes, or disrupting plant operations without being detected as an unauthorized user.
Who's at risk
Water utilities, electrical utilities, and any organization running SIMATIC WinCC OA as a primary SCADA/HMI system for monitoring and controlling critical infrastructure (pumping stations, treatment plants, substations, generation facilities). This affects all three supported versions when authentication is misconfigured or not enforced.
How it could be exploited
An attacker sends a crafted client-server protocol message to WinCC OA without valid credentials. Because server-side authentication is not enabled (default in v3.16), the server accepts the connection and the attacker can impersonate any user in the system. From there, the attacker can issue commands as if they were a legitimate operator.
Prerequisites
  • Network access to WinCC OA server port (default port 4806 or configured alternate)
  • WinCC OA must have server-side authentication (SSA) or Kerberos authentication disabled
  • Target version v3.16 in default configuration, or v3.17/v3.18 in non-default configuration
remotely exploitableno authentication required (in default config)low complexityaffects SCADA/HMI systemsimpacts industrial control operations
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (3)
2 pending1 EOL
ProductAffected VersionsFix Status
SIMATIC WinCC OA V3.17All versions in non-default configurationNo fix yet
SIMATIC WinCC OA V3.18All versions in non-default configurationNo fix yet
SIMATIC WinCC OA V3.16All versions in default configurationNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGEnable server-side authentication (SSA) or Kerberos authentication in WinCC OA project configuration
HARDENINGImplement network firewall rules to restrict access to WinCC OA ports (default 4806) from only trusted engineering workstations and operator consoles
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to WinCC OA v3.17 or later where server-side authentication is the default configuration
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0b74743d-af2d-4fe6-a323-1e1395a75143
Siemens WinCC OA | CVSS 9.8 - OTPulse