Siemens SIMATIC WinCC
Low Risk3.9ICS-CERT ICSA-23-166-05Jun 13, 2023
Attack VectorAdjacent
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary
SIMATIC WinCC and related Siemens products use legacy OPC services (OPC DA, OPC HDA, OPC AE) by default in versions before V8.0. These services rely on Windows ActiveX and DCOM, which lack modern security mechanisms for authentication and content encryption. WinCC V8.0 and later disable these legacy services by default. Affected products include SIMATIC NET PC Software V14-V15, SIMATIC PCS 7 V8.2-V9.1, WinCC versions before V8.0, and SINAUT Software ST7sc.
What this means
What could happen
An attacker with local network access and administrative privileges on the engineering workstation could intercept unencrypted OPC communications or bypass weak authentication, potentially reading process data or sending unauthorized commands to industrial equipment. This could allow an attacker to alter setpoints, stop processes, or gather sensitive operational information from your plant.
Who's at risk
Manufacturing facilities running Siemens process automation systems are affected, particularly those using SIMATIC WinCC versions before 8.0, SIMATIC PCS 7 (versions 8.2 through 9.1), SIMATIC NET PC Software (versions 14-15), and SINAUT Software ST7sc for plant monitoring and control. Engineering and administrative teams who manage these systems should verify their current versions and group memberships.
How it could be exploited
An attacker must first gain local network access to the same network segment as the WinCC server or PCS 7 system. They then exploit the lack of encryption in legacy OPC services to intercept DCOM communications or bypass the Windows group membership controls that are the only protection mechanism. High attack complexity and required administrative group membership limits the practical risk, but the attack requires no remote access and no special tools.
Prerequisites
- Local network access to the WinCC or PCS 7 server on the same network segment
- User account with membership in SIMATIC HMI or SIMATIC Net Windows groups
- Legacy OPC services (OPC DA/HDA/AE) enabled on the target system
No modern encryption in legacy OPC servicesHigh attack complexity (requires local network access and administrative group membership)No authentication on OPC service connectionsVery low EPSS score (0.1%) suggests exploitation is unlikely in practiceNot remotely exploitableNo public exploits known
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
1 with fix6 EOL
ProductAffected VersionsFix Status
SIMATIC WinCC< V8.08.0
SIMATIC NET PC Software V14All versionsNo fix (EOL)
SIMATIC NET PC Software V15All versionsNo fix (EOL)
SIMATIC PCS 7 V8.2All versionsNo fix (EOL)
SIMATIC PCS 7 V9.0All versionsNo fix (EOL)
SIMATIC PCS 7 V9.1All versionsNo fix (EOL)
SINAUT Software ST7scAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGRestrict membership in SIMATIC HMI and SIMATIC Net Windows groups to only trusted engineering and administrative users
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SIMATIC WinCC
HOTFIXUpdate SIMATIC WinCC to version 8.0 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC NET PC Software V14, SIMATIC NET PC Software V15, SIMATIC PCS 7 V8.2, SIMATIC PCS 7 V9.0, SIMATIC PCS 7 V9.1, SINAUT Software ST7sc. Apply the following compensating controls:
HARDENINGDisable legacy OPC DA/HDA/AE services and migrate to OPC UA
HARDENINGImplement network segmentation to limit local network access to WinCC and PCS 7 systems from untrusted workstations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2335d3cc-6535-4183-99d7-a86838972fc3