Plan PatchCVSS 8.2ICS-CERT ICSA-25-226-03Aug 12, 2025
SiemensManufacturing
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Multiple Siemens engineering and control software products do not properly restrict access to a local Windows Named Pipe and fail to sanitize user-controllable input sent to that pipe. This allows a local authenticated attacker to trigger type confusion and execute arbitrary code within the affected application. The vulnerability affects the TIA Portal ecosystem (STEP 7, WinCC, SIMATIC PCS neo, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS engineering tools, and related modules). Siemens has released patches for STEP 7 V17/V19/V20, WinCC V17/V19/V20, SIMOTION SCOUT TIA V5.6, and TIA Portal Test Suite V20. Many product families including PCS neo, WinCC V18, STEP 7 V18, SIMOCODE ES, SINAMICS Startdrive, SIRIUS tools, and TIA Portal Cloud have no fix available or planned.
What this means
What could happen
A local attacker with a valid Windows user account could exploit this vulnerability to execute arbitrary code within Siemens engineering and control software, potentially allowing them to modify project files, alter PLC logic, or disrupt plant engineering and commissioning activities.
Who's at risk
This affects organizations that use Siemens engineering software for PLC programming and commissioning, including manufacturers using SIMATIC S7 controllers, motor control centers (SIRIUS, SINAMICS), and motion control systems (SIMOTION). The vulnerability affects the TIA Portal suite (STEP 7, WinCC, test environments) and associated engineering tools across multiple product families. Primary impact is on engineering teams and system integrators, not on running production equipment.
How it could be exploited
An attacker must log into a Windows workstation or server running affected Siemens software with standard user credentials. The attacker then sends a malformed message to a Windows Named Pipe that the software exposes without proper access controls or input validation. This causes type confusion in memory, allowing arbitrary code execution within the affected application's process.
Prerequisites
Local login to the same Windows system running affected Siemens software
Standard (non-administrator) user account or higher
Physical or remote desktop access to the affected workstation or server
Local access required (not remotely exploitable)Low attack complexityAffects multiple Siemens engineering platformsMany products have no fix available or plannedAffects safety-related engineering tools (SIRIUS Safety ES, SIMOTION SCOUT TIA)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (37)
8 with fix29 pending
ProductAffected VersionsFix Status
SIMATIC PCS neo V4.1All versionsNo fix yet
SIMATIC PCS neo V5.0All versionsNo fix yet
SIMATIC PCS neo V6.0All versionsNo fix yet
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 V17<V17 Update 917 Update 9
Remediation & Mitigation
0/12
Do now
0/2
WORKAROUNDFor desktop systems running affected software without available patches, configure Windows to run the application with only a single user account logged in at any time
WORKAROUNDFor server systems running affected software without available patches, restrict operating system-level access to the affected software to administrators only
Schedule — requires maintenance window
0/8
Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to Update 9 or later
SIMATIC STEP 7 V19
HOTFIXUpdate SIMATIC STEP 7 V19 to Update 4 or later
SIMATIC STEP 7 V20
HOTFIXUpdate SIMATIC STEP 7 V20 to Update 4 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to Update 9 or later
SIMATIC WinCC V19
HOTFIXUpdate SIMATIC WinCC V19 to Update 4 or later
SIMATIC WinCC V20
HOTFIXUpdate SIMATIC WinCC V20 to Update 4 or later
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXUpdate TIA Portal Test Suite V20 to Update 4 or later
Long-term hardening
0/2
SIRIUS Safety ES V17 (TIA Portal)
HARDENINGIsolate engineering workstations and TIA Portal servers on a physically or logically separate network segment from production control networks and the internet
All products
HARDENINGRestrict remote access to affected workstations and servers to VPN connections from trusted IP ranges, and disable unauthenticated remote desktop or RDP access