OTPulse

Siemens Engineering Platforms

Plan PatchCVSS 7.3ICS-CERT ICSA-24-347-02Dec 10, 2024
SiemensManufacturing
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

A local arbitrary code execution vulnerability exists in Siemens engineering and automation products (SIMATIC S7-PLCSIM, STEP 7, WinCC, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS products, and TIA Portal Cloud). The vulnerability could allow an authenticated local attacker to execute arbitrary code with operating system privileges. Siemens has released fixes for STEP 7 V17/V19, WinCC Unified V17/V19, WinCC V17/V19, and SIMOTION SCOUT TIA V5.6 SP1. Many products remain unfixed, including all versions of SIMATIC S7-PLCSIM V17/V18, STEP 7 V18, WinCC V18, SIMOCODE ES, SINAMICS Startdrive, and SIRIUS products across all versions. TIA Portal V20 is not affected.

What this means
What could happen
An attacker with local access to an engineering workstation could execute arbitrary code as the operating system user, potentially compromising the integrity of PLC programs, safety configurations, and automation logic before deployment to production systems. This could allow modification of control logic or safety functions, affecting operational safety and asset control.
Who's at risk
Manufacturing facilities and utilities using Siemens automation platforms should care about this vulnerability. It affects engineering workstations running SIMATIC STEP 7, WinCC (both versions), SIMOTION SCOUT TIA, and related TIA Portal products used to program and configure PLCs, safety systems, and industrial HMIs. Organizations running V17, V18, or older V19 versions of these tools are most exposed; V20 is unaffected. All versions of SIMATIC S7-PLCSIM, SINAMICS Startdrive, SIMOCODE ES, and SIRIUS products remain vulnerable.
How it could be exploited
An attacker with physical or local network access to an engineering workstation running affected Siemens software could trigger the vulnerability through a crafted file or interaction requiring user action. The attacker would gain arbitrary code execution in the context of the engineering application, potentially allowing them to modify PLC programs, safety settings, or other automation configurations before those are deployed to actual control systems.
Prerequisites
  • Local access to the engineering workstation running affected Siemens software
  • Low privilege user account on the workstation
  • User interaction required (e.g., opening a specially crafted file)
Local attack vector requiredLow attack complexityLow privilege user neededUser interaction requiredMany products have no fix availableAffects engineering platforms that create safety-critical configurations
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (34)
10 with fix24 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC S7-PLCSIM V18All versionsNo fix yet
SIMATIC STEP 7 Safety V17<V17 Update 917 Update 9
SIMATIC STEP 7 Safety V18All versionsNo fix yet
SIMATIC STEP 7 Safety V19<V19 Update 419 Update 4
Remediation & Mitigation
0/8
Do now
0/2
HARDENINGRestrict network access to engineering workstations using firewall rules to allow connections only from authorized engineering networks and devices
HARDENINGImplement access controls requiring strong authentication and limiting local access to engineering workstations to authorized personnel only
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

SIRIUS Safety ES V17 (TIA Portal)
HOTFIXMigrate to TIA Portal V20 or later for products not yet fixed in current versions
All products
HOTFIXUpdate SIMATIC STEP 7 to version 17 Update 9 or later (for V17) or version 19 Update 4 or later (for V19)
HOTFIXUpdate SIMATIC WinCC to version 17 Update 9 or later (for V17) or version 19 Update 4 or later (for V19)
HOTFIXUpdate SIMATIC WinCC Unified to version 17 Update 9 or later (for V17) or version 19 Update 4 or later (for V19)
HOTFIXUpdate SIMOTION SCOUT TIA to version 5.6 SP1 HF7 or later (for V5.6)
Long-term hardening
0/1
HARDENINGIsolate engineering workstations on a separate network segment from production OT networks to limit lateral movement if an engineering station is compromised
View full CISA ICS-CERT advisory
API: /api/v1/advisories/0280f4b2-4531-418d-bc3b-85fc477cee11

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.