Siemens OPC UA
Act Now9.1ICS-CERT ICSA-25-072-09Mar 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens OPC UA implementations contain two authentication bypass vulnerabilities (CWE-208, CWE-305) that allow attackers to gain unauthorized access to server-managed data without valid credentials. The vulnerabilities affect SIMATIC Energy Manager PRO versions 7.2–7.5, SIMIT, WinCC Unified, WinCC, SIMATIC IPC DiagMonitor, and Industrial Edge for Machine Tools. Patches are available for some versions (Energy Manager PRO 7.5 Update 2+, WinCC Unified 19 Update 4+, WinCC 8.0 Update 3+, SIMIT 11.3+), but versions 7.2, 7.3, and some Industrial Edge and DiagMonitor instances have no fix planned or available. The HTTPS OPC UA endpoint is disabled by default in some products (Unified RT, DiagMonitor) but enabled by default in others.
What this means
What could happen
An attacker with network access to the OPC UA server could bypass authentication and gain unauthorized access to the data managed by these systems, potentially allowing them to read sensitive process information or configuration details from energy management and industrial control systems.
Who's at risk
Energy utilities and manufacturing plants running Siemens OPC UA–based systems should prioritize this advisory. Affected equipment includes SIMATIC Energy Manager PRO (versions 7.2–7.5), SIMIT, WinCC Unified and WinCC, SIMATIC IPC DiagMonitor, and Industrial Edge for Machine Tools. These are commonly used for real-time energy monitoring, HMI operation, and diagnostic collection in power generation, distribution, and manufacturing environments.
How it could be exploited
An attacker on the network sends a specially crafted authentication request to the OPC UA HTTPS endpoint on the affected device. The server fails to properly validate credentials and grants access without requiring valid authentication, allowing the attacker to read or potentially modify managed data.
Prerequisites
- Network access to the OPC UA HTTPS endpoint (port 443 or configured OPC UA port)
- HTTPS endpoint must be enabled (enabled by default in some products, disabled by default in others)
- No valid credentials required
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)affects operational technology systemsno patch available for multiple versions
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (10)
5 with fix5 EOL
ProductAffected VersionsFix Status
SIMATIC Energy Manager PRO V7.2All versionsNo fix (EOL)
SIMATIC Energy Manager PRO V7.4≥ V7.4Update0|<V7.4Update77.4 Update 7
SIMATIC Energy Manager PRO V7.5≥ V7.5Update0|<V7.5Update27.5 Update 2
SIMIT V11< 11.311.3
SIMATIC WinCC Unified V19<V19 Update 419 Update 4
SIMATIC WinCC V8.0<V8.0 Update 38.0 Update 3
SIMATIC Energy Manager PRO V7.3All versionsNo fix (EOL)
Industrial Edge for Machine Tools (formerly known as "SINUMERIK Edge")All versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/2WORKAROUNDDisable the HTTPS OPC UA endpoint if not required (default in Unified RT and DiagMonitor)
HARDENINGRestrict network access to OPC UA servers with firewall rules; do not expose to the internet
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC Energy Manager PRO to V7.5 Update 2 or later
HOTFIXUpdate SIMIT to version 11.3 or later
HOTFIXUpdate SIMATIC WinCC Unified to V19 Update 4 or later
HOTFIXUpdate SIMATIC WinCC to V8.0 Update 3 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC Energy Manager PRO V7.2, SIMATIC Energy Manager PRO V7.3, Industrial Edge for Machine Tools (formerly known as "SINUMERIK Edge"), SIMATIC IPC DiagMonitor, SIMATIC WinCC Unified V18. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate affected devices from business networks
HARDENINGUse VPNs for required remote access to devices
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ae99ce60-041e-48d0-94b7-c761049b5489