Siemens Engineering Platforms
Plan Patch7.3ICS-CERT ICSA-24-347-02Dec 10, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Siemens TIA Portal-based engineering software (STEP 7, WinCC, SIMOTION SCOUT TIA, and related components) contains a local arbitrary code execution vulnerability (CWE-20: improper input validation). An attacker with local access to an engineering workstation could execute arbitrary code by tricking a user into opening a malicious project file or attachment. The vulnerability affects multiple versions; Siemens has released patches for V17 Update 9, V19 Update 4, and SIMOTION SCOUT TIA V5.6 SP1 HF7. Many products at V18 and earlier versions have no fix planned. Siemens recommends updating to TIA Portal V20 or later where available, and implementing network segmentation to protect engineering workstations.
What this means
What could happen
An attacker with local access to an engineering workstation running affected Siemens software could execute arbitrary code with the privileges of the logged-in user, potentially allowing them to modify PLC/control logic, steal project configurations, or disrupt engineering activities. Since these are development and configuration tools rather than field devices, the primary risk is data theft and manipulation of control system designs before they are deployed.
Who's at risk
Manufacturing organizations using Siemens TIA Portal, WinCC, STEP 7, or related engineering software on Windows workstations should be concerned. This affects the computers where engineers design and configure PLCs, motors, HMIs, and safety systems—not the production equipment itself. Organizations with large engineering teams, contract engineers, or frequent file exchanges with vendors are at higher risk.
How it could be exploited
An attacker would need physical or local network access to an engineering workstation where Siemens TIA Portal, WinCC, or related tools are installed. The vulnerability requires a user to interact with a malicious file (CWE-20: improper input validation). If the user opens a crafted file without noticing, the attacker's code runs with that user's privileges. An attacker could deliver the malicious file via USB, email attachment, or shared drive on the engineering network.
Prerequisites
- Local or network-adjacent access to the engineering workstation
- User must be logged in to the affected Siemens application
- User interaction required (opening a malicious file or project)
- No special privileges or credentials required beyond normal engineering workstation access
Local exploitation only, not remotely exploitableLow complexity attackRequires user interactionNo patch available for majority of products (V18 and V5.4/5.5 tools, S7-PLCSIM, SINAMICS Startdrive)Affects safety system design tools (STEP 7 Safety, SIRIUS Safety ES)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (34)
10 with fix24 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC S7-PLCSIM V18All versionsNo fix yet
SIMATIC STEP 7 Safety V17<V17 Update 917 Update 9
SIMATIC STEP 7 Safety V18All versionsNo fix yet
SIMATIC STEP 7 Safety V19<V19 Update 419 Update 4
Remediation & Mitigation
0/8
Do now
0/3HARDENINGRestrict access to engineering workstations to authorized personnel only; use network access controls to limit who can reach these systems
HARDENINGIsolate the engineering network from the business network using firewalls and VLANs; do not allow engineering tools to be accessible from untrusted networks
HARDENINGTrain engineering staff not to open project files or attachments from untrusted sources; implement file transfer scanning or review procedures
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to Update 9 or later, STEP 7 Safety V17 to Update 9 or later, and SIMATIC WinCC V17 to Update 9 or later
SIMATIC STEP 7 V19
HOTFIXUpdate SIMATIC STEP 7 V19 to Update 4 or later, STEP 7 Safety V19 to Update 4 or later, SIMATIC WinCC Unified V19 to Update 4 or later, SIMATIC WinCC V19 to Update 4 or later, and SIMATIC WinCC Unified PC Runtime V19 to Update 4 or later
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later
Long-term hardening
0/2SIRIUS Safety ES V17 (TIA Portal)
HOTFIXMigrate to Siemens TIA Portal V20 or later, which is not affected by this vulnerability
All products
HARDENINGMonitor engineering workstation activity for suspicious file opens and code execution; use application whitelisting if available
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0280f4b2-4531-418d-bc3b-85fc477cee11