Siemens OPC UA

Plan PatchCVSS 9.1ICS-CERT ICSA-25-072-09Mar 11, 2025

SiemensEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SCADA and HMI products contain two authentication bypass vulnerabilities (CWE-208, CWE-305) in OPC UA server implementations that allow unauthenticated remote attackers to access operational data. Affected products include SIMATIC Energy Manager PRO (multiple versions), SIMATIC WinCC Unified (V18, V19), SIMATIC WinCC V8.0, SIMIT V11, Industrial Edge for Machine Tools, and SIMATIC IPC DiagMonitor. The vulnerabilities enable access to sensitive operational parameters without valid credentials. Siemens has released fixes for some versions but multiple product lines have no fix planned or available, particularly older versions of Energy Manager PRO (V7.2, V7.3) and WinCC Unified V18.

What this means

What could happen

An attacker could bypass authentication and gain unauthorized access to SCADA/HMI systems and energy management servers, potentially reading or altering critical operational data and process parameters without requiring valid credentials.

Who's at risk

Energy utilities and manufacturing plants using Siemens SIMATIC WinCC HMI systems, SIMATIC Energy Manager PRO for power monitoring, and SIMIT simulation software should be concerned. WinCC Unified is especially critical as it is widely deployed for supervisory control of substations and generator operations. Energy Manager PRO directly manages real-time energy data and process setpoints. SINUMERIK Edge and IPC DiagMonitor affect machine tool and industrial edge deployments.

How it could be exploited

An attacker with network access to the OPC UA server endpoints (typically ports 4840 or 443) could send specially crafted requests to bypass authentication mechanisms and access the server's data. The vulnerability exists in the authentication handling of OPC UA connections, allowing access without valid credentials or credentials.

Prerequisites

Network access to OPC UA server endpoints (typically port 4840 for unencrypted OPC UA or port 443 for HTTPS)
OPC UA HTTPS endpoint must be enabled (default is disabled in WinCC Unified RT and IPC DiagMonitor, but enabled in other affected products)

Remotely exploitable over networkNo authentication required (authentication bypass)Low attack complexityHigh impact on confidentiality and integrity of operational dataMultiple affected products with no fix planned (V7.2, V7.3 Energy Manager, V18 WinCC Unified, Edge for Machine Tools, IPC DiagMonitor)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (10)

5 with fix5 EOL

ProductAffected VersionsFix Status

SIMATIC Energy Manager PRO V7.2All versionsNo fix (EOL)

SIMATIC Energy Manager PRO V7.4≥ V7.4Update0|<V7.4Update77.4 Update 7

SIMATIC Energy Manager PRO V7.5≥ V7.5Update0|<V7.5Update27.5 Update 2

SIMIT V11< 11.311.3

SIMATIC WinCC Unified V19<V19 Update 419 Update 4

SIMATIC WinCC V8.0<V8.0 Update 38.0 Update 3

SIMATIC Energy Manager PRO V7.3All versionsNo fix (EOL)

Industrial Edge for Machine Tools (formerly known as "SINUMERIK Edge")All versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/3

SIMATIC Energy Manager PRO V7.2

WORKAROUNDFor SIMATIC Energy Manager PRO V7.2 and V7.3 (no fix planned): Disable OPC UA HTTPS endpoint if not required and restrict network access to OPC UA ports using firewall rules

SIMATIC IPC DiagMonitor

WORKAROUNDFor SIMATIC WinCC Unified V18 and SIMATIC IPC DiagMonitor (no fix available): Verify OPC UA HTTPS endpoint is disabled by default; if enabled for your configuration, disable it unless required for operations

All products

HARDENINGFor all affected products: Restrict network access to OPC UA server endpoints (ports 4840/443) to only trusted engineering workstations and authorized monitoring systems using firewall rules

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMIT V11

HOTFIXUpdate SIMIT V11 to version 11.3 or later

SIMATIC WinCC Unified V19

HOTFIXUpdate SIMATIC WinCC Unified V19 to Update 4 or later

SIMATIC WinCC V8.0

HOTFIXUpdate SIMATIC WinCC V8.0 to Update 3 or later

All products

HOTFIXUpdate SIMATIC Energy Manager PRO to V7.5 Update 2 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC Energy Manager PRO V7.2, SIMATIC Energy Manager PRO V7.3, Industrial Edge for Machine Tools (formerly known as "SINUMERIK Edge"), SIMATIC IPC DiagMonitor, SIMATIC WinCC Unified V18. Apply the following compensating controls:

HARDENINGIsolate SCADA and energy management networks from business networks and the internet using network segmentation and firewalls

CVEs (2)

CVE-2024-42512 CVE-2024-42513

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ae99ce60-041e-48d0-94b7-c761049b5489

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.