Siemens TIA Portal, SIMATIC, and SIRIUS
Monitor6.5ICS-CERT ICSA-24-193-13Jul 9, 2024
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary
Siemens TIA Portal, SIMATIC, WinCC, SIMOCODE, SIMOTION, SINAMICS, SIRIUS, and related products do not properly restrict .NET BinaryFormatter when deserializing user-controllable input from files. This allows type confusion and arbitrary code execution. Affected versions across V16, V17, V18 branches are listed. SIMOTION SCOUT TIA and SINAMICS Startdrive have no fix available.
What this means
What could happen
An attacker who tricks an engineer into opening a malicious file could execute arbitrary code within the engineering workstation running affected Siemens tools. If compromised, the workstation could be used to modify PLC logic, SCADA configurations, or safety-critical parameters in deployed systems.
Who's at risk
Organizations using Siemens engineering and SCADA software should care about this. Specifically: engineering teams using TIA Portal (STEP 7, WinCC) for PLC and safety controller programming; motor control centers using SIRIUS or SIMOCODE devices with their configuration tools; and automation engineers using SIMOTION or SINAMICS drive configuration software. This affects the computers where engineers design and configure production systems, not the field devices themselves.
How it could be exploited
An attacker creates a malicious serialized .NET object and embeds it in a file (project file, configuration backup, or other supported format). When an engineer opens this file in an affected version of TIA Portal, WinCC, or related tools, the application deserializes the untrusted data without proper validation, triggering arbitrary code execution on the engineering workstation.
Prerequisites
- File must be opened by a user in an affected application
- User must open an untrusted file from an attacker-controlled or compromised source
- No special network access required; local file execution on engineering workstation
Local file execution on engineering workstationCWE-502 unsafe deserializationSocial engineering attack vector (malicious file delivery)No authentication required to exploit if user opens fileAffects safety-critical systems (STEP 7 Safety, SIRIUS Safety)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (27)
21 with fix6 pending
ProductAffected VersionsFix Status
SIMATIC STEP 7 Safety V16<V16 Update 716 Update 7
SIMATIC STEP 7 Safety V17<V17 Update 717 Update 7
SIMATIC STEP 7 Safety V18<V18 Update 218 Update 2
SIMATIC STEP 7 V16<V16 Update 716 Update 7
SIMATIC STEP 7 V17<V17 Update 717 Update 7
Remediation & Mitigation
0/28
Do now
0/1WORKAROUNDAvoid opening untrusted or unknown files in affected applications
Schedule — requires maintenance window
0/24Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V16
HOTFIXUpdate SIMATIC STEP 7 V16 to Update 7 or later
SIMATIC STEP 7 Safety V16
HOTFIXUpdate SIMATIC STEP 7 Safety V16 to Update 7 or later
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to Update 7 or later
SIMATIC STEP 7 Safety V17
HOTFIXUpdate SIMATIC STEP 7 Safety V17 to Update 7 or later
SIMATIC STEP 7 V18
HOTFIXUpdate SIMATIC STEP 7 V18 to Update 2 or later
SIMATIC STEP 7 Safety V18
HOTFIXUpdate SIMATIC STEP 7 Safety V18 to Update 2 or later
SIMATIC WinCC Unified V16
HOTFIXUpdate SIMATIC WinCC Unified V16 to Update 7 or later
SIMATIC WinCC Unified V17
HOTFIXUpdate SIMATIC WinCC Unified V17 to Update 7 or later
SIMATIC WinCC Unified V18
HOTFIXUpdate SIMATIC WinCC Unified V18 to Update 2 or later
SIMATIC WinCC V16
HOTFIXUpdate SIMATIC WinCC V16 to 16.7 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to 17.7 or later
SIMATIC WinCC V18
HOTFIXUpdate SIMATIC WinCC V18 to Update 2 or later
SIMOCODE ES V16
HOTFIXUpdate SIMOCODE ES V16 to Update 7 or later
SIMOCODE ES V17
HOTFIXUpdate SIMOCODE ES V17 to Update 7 or later
SIMOCODE ES V18
HOTFIXUpdate SIMOCODE ES V18 to Update 2 or later
SIRIUS Safety ES V17
HOTFIXUpdate SIRIUS Safety ES V17 to Update 7 or later
SIRIUS Safety ES V18
HOTFIXUpdate SIRIUS Safety ES V18 to Update 2 or later
SIRIUS Soft Starter ES V17
HOTFIXUpdate SIRIUS Soft Starter ES V17 to Update 7 or later
SIRIUS Soft Starter ES V18
HOTFIXUpdate SIRIUS Soft Starter ES V18 to Update 2 or later
Soft Starter ES V16
HOTFIXUpdate Soft Starter ES V16 to Update 7 or later
TIA Portal Cloud V3.0
HOTFIXUpdate TIA Portal Cloud V3.0 to Update 2 or later
All products
HOTFIXUpdate SIMATIC WinCC (TIA Portal) V16 to Update 7 or later
HOTFIXUpdate SIMATIC WinCC (TIA Portal) V17 to Update 7 or later
HOTFIXUpdate SIMATIC WinCC (TIA Portal) V18 to Update 2 or later
Long-term hardening
0/3HARDENINGImplement file source verification and trusted file handling procedures for engineering workstations
HARDENINGSegment engineering workstations from production networks and limit file transfer mechanisms
HARDENINGImplement endpoint protection and disable or restrict use of affected applications for users who do not require them
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/702dd63c-9c63-4a51-8def-41b58d92b12e