Siemens TIA Portal
Plan PatchCVSS 7.3ICS-CERT ICSA-23-103-04Apr 11, 2023
Siemens
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
TIA Portal contains a path traversal vulnerability in project and PC system configuration file handling. If a user opens a malicious project file, an attacker could write arbitrary files to the engineering workstation, potentially achieving code execution. This affects all versions of TIA Portal V15, and unpatched versions of V16, V17, and V18. Siemens has released updates for V16, V17, and V18 but no fix is planned for V15. The vulnerability requires user interaction (opening a malicious file) and is not known to be actively exploited.
What this means
What could happen
An attacker could trick an engineer into opening a malicious project file, which would allow the attacker to write arbitrary files to the engineering workstation, potentially achieving code execution on the system used to configure your PLCs and control systems.
Who's at risk
This affects any organization that uses Siemens TIA Portal (versions 15, 16, 17, or 18) for engineering and programming PLCs, industrial controllers, and other automation equipment. Engineers and control system integrators who open project files are at direct risk. Utilities, manufacturing plants, water treatment facilities, and any site using Siemens automation are potentially affected.
How it could be exploited
An attacker sends a malicious TIA Portal project or PC system configuration file to an engineer. When the engineer opens the file in TIA Portal, the path traversal vulnerability allows the attacker's code to write files anywhere on the engineering workstation. This could include executable files that run when the system boots or when the engineer opens TIA Portal again, giving the attacker code execution on the engineering environment.
Prerequisites
- User must open a malicious project file or PC system configuration file in TIA Portal
- The user must have write permissions to the target file locations on the engineering workstation
Requires user interaction (engineer must open malicious file)Affects engineering workstations with access to control system configurationNo fix available for TIA Portal V15Could lead to compromise of automation system engineering environment
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (4)
3 with fix1 EOL
ProductAffected VersionsFix Status
Totally Integrated Automation Portal (TIA Portal) V15All versionsNo fix (EOL)
Totally Integrated Automation Portal (TIA Portal) V16<V16 Update 716 Update 7
Totally Integrated Automation Portal (TIA Portal) V17<V17 Update 617 Update 6
Totally Integrated Automation Portal (TIA Portal) V18<V18 Update 118 Update 1
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDAvoid opening untrusted project files or PC system configuration files
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Totally Integrated Automation Portal (TIA Portal) V15
HOTFIXUpdate TIA Portal V18 to Update 1 or later
HOTFIXUpdate TIA Portal V16 to Update 7 or later
HOTFIXUpdate TIA Portal V17 to Update 6 or later
Mitigations - no patch available
0/3Totally Integrated Automation Portal (TIA Portal) V15 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict network access to engineering workstations with firewall rules and access controls
HARDENINGImplement network segmentation to isolate engineering systems from general corporate network traffic
HARDENINGTrain engineering staff on social engineering and phishing attacks to prevent delivery of malicious files
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4360f1c4-3cda-4622-96cc-6ebc2c0413f6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.