Siemens SIMATIC S7-PLCSIM

Plan Patch8.2ICS-CERT ICSA-25-226-03Aug 12, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Siemens SIMATIC and TIA Portal products contain a vulnerability in local Windows Named Pipe access control and input validation. The affected products do not properly restrict access permissions to a local Named Pipe and do not properly sanitize user input sent to that pipe. This could allow a local authenticated attacker to cause a type confusion and execute arbitrary code within the affected application's privileges. Affected products include SIMATIC PCS neo (V4.1, V5.0, V6.0), SIMATIC S7-PLCSIM V17, SIMATIC STEP 7 (V17, V18, V19, V20), SIMATIC WinCC (V17, V18, V19, V20), SIMOTION SCOUT TIA (V5.4–V5.7), SINAMICS Startdrive (V17–V20), SIRIUS Safety/Soft Starter ES (V17–V20), SIMOCODE ES (V17–V20), TIA Portal Cloud (V17–V20), and TIA Portal Test Suite V20.

What this means

What could happen

A local user with low privileges on a Windows machine running one of these Siemens engineering or HMI tools could exploit a weakness in a Windows Named Pipe to run arbitrary code with the application's privileges, potentially gaining administrative access or compromising project files and configurations.

Who's at risk

Manufacturing facilities using Siemens automation and engineering tools should be concerned, particularly those running STEP 7, WinCC, SIMATIC PCS neo, S7-PLCSIM, SIMOTION SCOUT TIA, SINAMICS Startdrive, or SIRIUS engineering platforms. This affects engineering workstations and HMI/supervisory control servers where these TIA Portal tools are installed.

How it could be exploited

An attacker with a local user account on a Windows system running an affected Siemens product (such as STEP 7, WinCC, or SIMATIC S7-PLCSIM) sends a specially crafted message to an improperly protected Windows Named Pipe. The message exploits insufficient input validation to cause a type confusion, allowing code execution within the application's security context.

Prerequisites

Local user account on the Windows system running an affected product
Ability to interact with Windows Named Pipes on that system
The affected application must be running

Local access required (not remote)Low-privilege user can exploitLow attack complexityLow EPSS score (0.1%)Many products without vendor fixesRequires user interaction (engineer logged in)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (37)

8 with fix29 pending

ProductAffected VersionsFix Status

SIMATIC PCS neo V4.1All versionsNo fix yet

SIMATIC PCS neo V5.0All versionsNo fix yet

SIMATIC PCS neo V6.0All versionsNo fix yet

SIMATIC S7-PLCSIM V17All versionsNo fix yet

SIMATIC STEP 7 V17<V17 Update 917 Update 9

Remediation & Mitigation

0/12

Do now

0/2

WORKAROUNDOn desktop systems, configure Windows to run affected software with only a single local user account active at a time

WORKAROUNDOn server systems, restrict operating system level access to administrators only

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V17

HOTFIXUpdate SIMATIC STEP 7 V17 to Update 9 or later

SIMATIC STEP 7 V19

HOTFIXUpdate SIMATIC STEP 7 V19 to Update 4 or later

SIMATIC STEP 7 V20

HOTFIXUpdate SIMATIC STEP 7 V20 to Update 4 or later

SIMATIC WinCC V17

HOTFIXUpdate SIMATIC WinCC V17 to Update 9 or later

SIMATIC WinCC V19

HOTFIXUpdate SIMATIC WinCC V19 to Update 4 or later

SIMATIC WinCC V20

HOTFIXUpdate SIMATIC WinCC V20 to Update 4 or later

SIMOTION SCOUT TIA V5.6

HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later

SIRIUS Safety ES V17 (TIA Portal)

HOTFIXUpdate TIA Portal Test Suite V20 to Update 4 or later

Long-term hardening

0/2

HARDENINGIsolate engineering workstations and HMI servers from business networks and the internet using firewalls

HARDENINGImplement network segmentation to restrict access to systems running affected Siemens products

CVEs (1)

CVE-2024-54678

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close