Siemens SIMATIC SCADA and PCS 7 Systems

Act Now9.1ICS-CERT ICSA-24-256-14Sep 10, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SIMATIC SCADA and PCS 7 systems contain a remote code execution vulnerability in the OPC UA communication layer. An authenticated attacker can exploit insufficient input validation in the OPC UA server implementation to execute arbitrary code with system-level privileges. This affects SCADA operator interfaces (WinCC), distributed control systems (PCS 7), data historians, reporting servers, and batch processing systems. Exploitation requires valid engineering credentials and network connectivity to the administrative interface.

What this means

What could happen

An attacker with engineering credentials could execute arbitrary code on SCADA servers and PLCs with system-level privileges, enabling them to modify process setpoints, disable safety interlocks, or stop production operations entirely.

Who's at risk

This affects SCADA systems, data historians, and batch processing systems used in energy facilities and critical infrastructure operations. Specific products include WinCC (operator interfaces), PCS 7 (DCS), SIMATIC Batch systems, Information Server (reporting), and Process Historian. Water utilities and electric utilities using these systems for process monitoring and control are at risk.

How it could be exploited

An authenticated attacker (e.g., compromised engineering account or insider) can send crafted commands to the affected SCADA application across the network. The vulnerability allows these commands to execute arbitrary code with elevated privileges on the server, potentially affecting connected field devices and process logic.

Prerequisites

Valid engineering or administrative credentials for the SCADA system
Network access to the affected SIMATIC application (WinCC, PCS 7, Information Server, or Process Historian) on port 4840 or administrative interface ports
Authentication already established or ability to authenticate to the service

remotely exploitablerequires valid credentials (reduces risk but authenticated users are often targets)high CVSS score (9.1)affects critical SCADA infrastructureno patch available for BATCH V9.1 and WinCC V7.4potential for process disruption and safety system compromise

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (11)

9 with fix2 EOL

ProductAffected VersionsFix Status

SIMATIC Information Server 2020<V2020 SP2 Update 52020 SP2 Update 5

SIMATIC Information Server 2022<V2022 SP1 Update 22022 SP1 Update 2

SIMATIC PCS 7 V9.1<V9.1 SP2 UC069.1 SP2 UC06

SIMATIC Process Historian 2020<V2020 SP2 Update 52020 SP2 Update 5

SIMATIC Process Historian 2022<V2022 SP1 Update 22022 SP1 Update 2

SIMATIC WinCC Runtime Professional V18<V18 Update 518 Update 5

SIMATIC WinCC Runtime Professional V19<V19 Update 319 Update 3

SIMATIC WinCC V7.5<V7.5 SP2 Update 187.5 SP2 Update 18

Remediation & Mitigation

0/12

Do now

0/2

SIMATIC BATCH V9.1

WORKAROUNDFor SIMATIC BATCH V9.1 and SIMATIC WinCC V7.4 (no patch available): restrict network access to these systems using firewall rules, allowing connections only from trusted engineering workstations and administrative systems

All products

HARDENINGReview and audit engineering user accounts; disable unused accounts and enforce strong password policies for remaining administrative credentials

Schedule — requires maintenance window

0/9

Patching may require device reboot — plan for process interruption

SIMATIC WinCC Runtime Professional V18

HOTFIXUpdate SIMATIC WinCC Runtime Professional V18 to Update 5 or later

SIMATIC WinCC Runtime Professional V19

HOTFIXUpdate SIMATIC WinCC Runtime Professional V19 to Update 3 or later

SIMATIC Information Server 2020

HOTFIXUpdate SIMATIC Information Server 2020 to SP2 Update 5 or later

SIMATIC Information Server 2022

HOTFIXUpdate SIMATIC Information Server 2022 to SP1 Update 2 or later

SIMATIC Process Historian 2020

HOTFIXUpdate SIMATIC Process Historian 2020 to SP2 Update 5 or later

SIMATIC Process Historian 2022

HOTFIXUpdate SIMATIC Process Historian 2022 to SP1 Update 2 or later

SIMATIC PCS 7 V9.1

HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP2 UC06 or later

SIMATIC WinCC V7.5

HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 18 or later

SIMATIC WinCC V8.0

HOTFIXUpdate SIMATIC WinCC V8.0 to Update 5 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC BATCH V9.1, SIMATIC WinCC V7.4. Apply the following compensating controls:

HARDENINGSegment SCADA and data historian systems from general corporate networks using air gaps or dedicated VLANs

CVEs (1)

CVE-2024-35783

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close