Siemens OPC UA
Plan PatchCVSS 9.1ICS-CERT ICSA-25-072-09Mar 11, 2025
SiemensEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens SCADA and HMI products contain two authentication bypass vulnerabilities (CWE-208, CWE-305) in OPC UA server implementations that allow unauthenticated remote attackers to access operational data. Affected products include SIMATIC Energy Manager PRO (multiple versions), SIMATIC WinCC Unified (V18, V19), SIMATIC WinCC V8.0, SIMIT V11, Industrial Edge for Machine Tools, and SIMATIC IPC DiagMonitor. The vulnerabilities enable access to sensitive operational parameters without valid credentials. Siemens has released fixes for some versions but multiple product lines have no fix planned or available, particularly older versions of Energy Manager PRO (V7.2, V7.3) and WinCC Unified V18.
What this means
What could happen
An attacker could bypass authentication and gain unauthorized access to SCADA/HMI systems and energy management servers, potentially reading or altering critical operational data and process parameters without requiring valid credentials.
Who's at risk
Energy utilities and manufacturing plants using Siemens SIMATIC WinCC HMI systems, SIMATIC Energy Manager PRO for power monitoring, and SIMIT simulation software should be concerned. WinCC Unified is especially critical as it is widely deployed for supervisory control of substations and generator operations. Energy Manager PRO directly manages real-time energy data and process setpoints. SINUMERIK Edge and IPC DiagMonitor affect machine tool and industrial edge deployments.
How it could be exploited
An attacker with network access to the OPC UA server endpoints (typically ports 4840 or 443) could send specially crafted requests to bypass authentication mechanisms and access the server's data. The vulnerability exists in the authentication handling of OPC UA connections, allowing access without valid credentials or credentials.
Prerequisites
- Network access to OPC UA server endpoints (typically port 4840 for unencrypted OPC UA or port 443 for HTTPS)
- OPC UA HTTPS endpoint must be enabled (default is disabled in WinCC Unified RT and IPC DiagMonitor, but enabled in other affected products)
Remotely exploitable over networkNo authentication required (authentication bypass)Low attack complexityHigh impact on confidentiality and integrity of operational dataMultiple affected products with no fix planned (V7.2, V7.3 Energy Manager, V18 WinCC Unified, Edge for Machine Tools, IPC DiagMonitor)
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (10)
5 with fix5 EOL
ProductAffected VersionsFix Status
SIMATIC Energy Manager PRO V7.2All versionsNo fix (EOL)
SIMATIC Energy Manager PRO V7.4≥ V7.4Update0|<V7.4Update77.4 Update 7
SIMATIC Energy Manager PRO V7.5≥ V7.5Update0|<V7.5Update27.5 Update 2
SIMIT V11< 11.311.3
SIMATIC WinCC Unified V19<V19 Update 419 Update 4
SIMATIC WinCC V8.0<V8.0 Update 38.0 Update 3
SIMATIC Energy Manager PRO V7.3All versionsNo fix (EOL)
Industrial Edge for Machine Tools (formerly known as "SINUMERIK Edge")All versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/3SIMATIC Energy Manager PRO V7.2
WORKAROUNDFor SIMATIC Energy Manager PRO V7.2 and V7.3 (no fix planned): Disable OPC UA HTTPS endpoint if not required and restrict network access to OPC UA ports using firewall rules
SIMATIC IPC DiagMonitor
WORKAROUNDFor SIMATIC WinCC Unified V18 and SIMATIC IPC DiagMonitor (no fix available): Verify OPC UA HTTPS endpoint is disabled by default; if enabled for your configuration, disable it unless required for operations
All products
HARDENINGFor all affected products: Restrict network access to OPC UA server endpoints (ports 4840/443) to only trusted engineering workstations and authorized monitoring systems using firewall rules
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
SIMIT V11
HOTFIXUpdate SIMIT V11 to version 11.3 or later
SIMATIC WinCC Unified V19
HOTFIXUpdate SIMATIC WinCC Unified V19 to Update 4 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to Update 3 or later
All products
HOTFIXUpdate SIMATIC Energy Manager PRO to V7.5 Update 2 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC Energy Manager PRO V7.2, SIMATIC Energy Manager PRO V7.3, Industrial Edge for Machine Tools (formerly known as "SINUMERIK Edge"), SIMATIC IPC DiagMonitor, SIMATIC WinCC Unified V18. Apply the following compensating controls:
HARDENINGIsolate SCADA and energy management networks from business networks and the internet using network segmentation and firewalls
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ae99ce60-041e-48d0-94b7-c761049b5489Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.