Siemens SIMATIC WinCC OA Ultralight Client

Monitor5.4ICS-CERT ICSA-22-349-06Dec 13, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SIMATIC WinCC OA contains an argument injection vulnerability in the Ultralight Client web interface. An authenticated attacker could inject arbitrary parameters when launching the client, potentially opening unauthorized operator panels or executing control scripts with their own credentials. The vulnerability exists in versions V3.15 (before P038), V3.16 (before P035), V3.17 (before P024), and V3.18 (before P014). Siemens has released patches for all affected versions.

What this means

What could happen

An authenticated attacker could inject arbitrary parameters when launching the Ultralight Client web interface, potentially opening unauthorized panels or executing control scripts under their credentials, which could alter process monitoring and setpoints.

Who's at risk

Organizations running Siemens SIMATIC WinCC OA (supervisory control and data acquisition/HMI system) versions 3.15 through 3.18 with web-based Ultralight Client access should be concerned. This affects plant operators, system integrators, and facilities that rely on WinCC OA for monitoring and controlling processes in utilities, manufacturing, and critical infrastructure.

How it could be exploited

An attacker with valid WinCC OA credentials gains access to the web interface, then crafts a malicious URL or request that injects extra parameters when starting the Ultralight Client. This allows them to open operator panels they shouldn't see or trigger Ctrl scripts that modify process parameters.

Prerequisites

Valid authentication credentials for WinCC OA system (authenticated user account)
Network access to the WinCC OA web interface endpoint
Web browser or HTTP client capable of sending crafted requests

Requires valid authentication credentialsRemotely exploitable over networkLow attack complexityAffects SCADA/HMI system access and panel visibility

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SIMATIC WinCC OA V3.15<V3.15 P0383.15 P038

SIMATIC WinCC OA V3.16<V3.16 P0353.16 P035

SIMATIC WinCC OA V3.17<V3.17 P0243.17 P024

SIMATIC WinCC OA V3.18<V3.18 P0143.18 P014

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGConfigure user permissions and access management according to the WinCC OA Security Guideline to restrict who can launch Ultralight Client

HARDENINGRestrict network access to WinCC OA web interface via firewall; ensure it is not reachable from the Internet or untrusted networks

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC WinCC OA V3.15

HOTFIXUpdate SIMATIC WinCC OA V3.15 to patch P038 or later

SIMATIC WinCC OA V3.16

HOTFIXUpdate SIMATIC WinCC OA V3.16 to patch P035 or later

SIMATIC WinCC OA V3.17

HOTFIXUpdate SIMATIC WinCC OA V3.17 to patch P024 or later

SIMATIC WinCC OA V3.18

HOTFIXUpdate SIMATIC WinCC OA V3.18 to patch P014 or later

Long-term hardening

0/1

HARDENINGIf remote access is required, use a VPN with current security patches and authenticate through the VPN before reaching the WinCC OA web interface

CVEs (1)

CVE-2022-44731

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d7afaa5b-0db5-425a-9fb9-90abdfeaa212