Siemens SIMATIC SCADA and PCS 7 Systems
Plan PatchCVSS 9.1ICS-CERT ICSA-24-256-14Sep 10, 2024
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
SIMATIC SCADA and PCS 7 systems contain a remote code execution vulnerability in WinCC, Information Server, Process Historian, and PCS 7 products. An authenticated remote attacker could execute arbitrary code with elevated privileges on affected systems, potentially compromising process control operations. Siemens has released updates for most affected products, but WinCC V7.4 and SIMATIC BATCH V9.1 will not receive patches.
What this means
What could happen
An authenticated attacker could execute arbitrary code with high privileges on SIMATIC SCADA and process control systems, potentially altering process parameters, stopping operations, or manipulating data in historians and runtime environments.
Who's at risk
Energy sector operators running SIMATIC SCADA systems, including operators of power generation and distribution facilities, chemical plants, and other critical infrastructure using Siemens WinCC, PCS 7, BATCH, Information Server, or Process Historian products for process monitoring and control.
How it could be exploited
An attacker with valid credentials to a SIMATIC WinCC, Information Server, Process Historian, or PCS 7 system could send a specially crafted request over the network to trigger arbitrary code execution with elevated system privileges.
Prerequisites
- Valid authentication credentials to the affected SIMATIC product
- Network access to the product's management or operational interface
- Access to a system running one of the affected product versions
remotely exploitablerequires valid credentialshigh privileges after exploitationaffects process control systemsno patch available for WinCC V7.4 and BATCH V9.1
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (11)
9 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC Information Server 2020<V2020 SP2 Update 52020 SP2 Update 5
SIMATIC Information Server 2022<V2022 SP1 Update 22022 SP1 Update 2
SIMATIC PCS 7 V9.1<V9.1 SP2 UC069.1 SP2 UC06
SIMATIC Process Historian 2020<V2020 SP2 Update 52020 SP2 Update 5
SIMATIC Process Historian 2022<V2022 SP1 Update 22022 SP1 Update 2
SIMATIC WinCC Runtime Professional V18<V18 Update 518 Update 5
SIMATIC WinCC Runtime Professional V19<V19 Update 319 Update 3
SIMATIC WinCC V7.5<V7.5 SP2 Update 187.5 SP2 Update 18
Remediation & Mitigation
0/12
Do now
0/1SIMATIC BATCH V9.1
WORKAROUNDRestrict network access to SIMATIC WinCC V7.4 and SIMATIC BATCH V9.1 (unfixed products) to authorized engineering workstations only using firewall rules
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
SIMATIC WinCC Runtime Professional V18
HOTFIXUpdate SIMATIC WinCC Runtime Professional V18 to Update 5 or later
SIMATIC WinCC Runtime Professional V19
HOTFIXUpdate SIMATIC WinCC Runtime Professional V19 to Update 3 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 18 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to Update 5 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP2 UC06 or later
SIMATIC Information Server 2020
HOTFIXUpdate SIMATIC Information Server 2020 to SP2 Update 5 or later
SIMATIC Information Server 2022
HOTFIXUpdate SIMATIC Information Server 2022 to SP1 Update 2 or later
SIMATIC Process Historian 2020
HOTFIXUpdate SIMATIC Process Historian 2020 to SP2 Update 5 or later
SIMATIC Process Historian 2022
HOTFIXUpdate SIMATIC Process Historian 2022 to SP1 Update 2 or later via PCS neo V5.0 Update 1
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC BATCH V9.1, SIMATIC WinCC V7.4. Apply the following compensating controls:
HARDENINGEnforce strong, unique authentication credentials for all SIMATIC product accounts and limit administrative access to trusted personnel
HARDENINGImplement network segmentation to isolate SCADA and process control systems from untrusted networks and limit administrative access
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e0dffa52-c07f-4273-9644-12c2e14eb022Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.