Plan PatchCVSS 7.8ICS-CERT ICSA-24-347-05Dec 10, 2024
SiemensManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A type confusion vulnerability (CWE-502) exists in Siemens engineering platforms when parsing user-supplied files. An attacker can craft a malicious file that, when opened in affected products, causes incorrect type interpretation and results in arbitrary code execution within the application. This affects multiple STEP 7, WinCC, PLCSIM, and related engineering tools used to program and configure industrial controllers and HMIs. Siemens has released fixes for V19 Update 4 (STEP 7, WinCC, WinCC Unified) and SIMOTION SCOUT TIA V5.6 SP1 HF7, but has stated no fixes are planned for V16, V17, and V18 versions. TIA Portal V20 products are unaffected.
What this means
What could happen
An attacker who tricks an engineer into opening a malicious file can execute arbitrary commands on the engineering workstation, potentially allowing modification of PLC programs, HMI configurations, or theft of control system designs before they are deployed to production equipment.
Who's at risk
Engineering teams and automation integrators using Siemens TIA Portal products to design and program industrial control systems. Affected products include PLC programming tools (STEP 7, PLCSIM), human-machine interface design tools (WinCC), motor drive configuration tools (SINAMICS Startdrive), safety system engineering tools (STEP 7 Safety, SIRIUS Safety ES), and related configuration utilities. Organizations running V16, V17, or V18 versions are most at risk due to unavailable fixes.
How it could be exploited
An attacker crafts a malicious file (likely a project file or configuration backup) and sends it to an engineer via email or file sharing. When the engineer opens the file in an affected engineering tool (STEP 7, WinCC, etc.), the application misinterprets the file structure due to type confusion, triggering code execution with the privileges of the engineering application and the logged-in user.
Prerequisites
User interaction required: engineer or technician must open a malicious file in an affected engineering product
Affected engineering application must be installed and used to open the file
No special network access or credentials beyond normal engineering workstation access needed
Low complexity exploitationUser interaction required (file open)Affects engineering design tools with access to safety-critical configurationsMajority of affected versions (V16, V17, V18) have no fix plannedWide range of affected products spanning PLC programming, HMI design, motor control, and safety engineering tools
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (39)
5 with fix34 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V16All versionsNo fix yet
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 Safety V16All versionsNo fix yet
SIMATIC STEP 7 Safety V17All versionsNo fix yet
SIMATIC STEP 7 Safety V18All versionsNo fix yet
Remediation & Mitigation
0/8
Do now
0/1
WORKAROUNDDo not open files from untrusted or unknown sources in affected engineering products, especially files received via email or external file sharing
Schedule — requires maintenance window
0/5
Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V19
HOTFIXUpdate SIMATIC STEP 7 V19 to Update 4 or later
SIMATIC WinCC V19
HOTFIXUpdate SIMATIC WinCC V19 to Update 4 or later
SIMATIC WinCC Unified V19
HOTFIXUpdate SIMATIC WinCC Unified V19 to Update 4 or later
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXMigrate to TIA Portal V20 products, which are unaffected by this vulnerability
Long-term hardening
0/2
HARDENINGRestrict user permissions on engineering workstations to require approval before opening files from external sources
HARDENINGImplement air-gap or restricted network access for engineering workstations containing sensitive PLC/HMI designs