Siemens WIBU CodeMeter Runtime

Plan PatchCVSS 8.2ICS-CERT ICSA-25-226-05Aug 12, 2025

SiemensManufacturing

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

WIBU Systems CodeMeter Runtime contains a privilege escalation vulnerability that affects Siemens SIMATIC WinCC OA versions 3.18, 3.19, and 3.20, as well as SIMATIC PDM Maintenance Station. The vulnerability allows a local user with administrative privileges to escalate their access or bypass security controls. Siemens has released patches for WinCC OA versions but indicates that SIMATIC PDM Maintenance Station will not receive a fix. The vulnerability requires local access to an affected system; remote exploitation is not possible.

What this means

What could happen

A local attacker with administrative privileges on a system running SIMATIC WinCC OA or PDM Maintenance Station could escalate privileges or circumvent security controls through a CodeMeter Runtime vulnerability, potentially allowing them to modify process parameters, override alarms, or disrupt operations without being detected.

Who's at risk

Manufacturing facilities using Siemens SIMATIC WinCC OA (versions 3.18, 3.19, 3.20) as their SCADA/HMI platform or SIMATIC PDM Maintenance Station for device configuration are affected. This applies to any plant where engineering or maintenance staff use these workstations to configure or monitor industrial processes, including power generation, refining, water treatment, and discrete manufacturing.

How it could be exploited

An attacker with local access and administrative credentials can exploit a privilege escalation vulnerability in CodeMeter Runtime bundled with SIMATIC WinCC OA and PDM Maintenance Station. The attack requires the attacker to already have administrator-level access on the engineering or maintenance workstation where these products run. Once exploited, the attacker could execute code with elevated privileges to manipulate the SCADA/HMI system or its underlying controls.

Prerequisites

Local access to a system running affected SIMATIC WinCC OA or PDM Maintenance Station
Administrator or elevated user privileges on the workstation
CodeMeter Runtime must be installed

Requires local access and high privilegesNo remote exploitation possibleAffects SCADA/HMI engineering environmentsNo fix available for PDM Maintenance Station

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC OA V3.18<V3.18 P0323.18 P032

SIMATIC WinCC OA V3.19<V3.19 P0203.19 P020

SIMATIC WinCC OA V3.20<V3.20 P0083.20 P008

SIMATIC PDM Maintenance Station V5.0All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict local login access to engineering workstations to authorized personnel only; disable interactive logons for service accounts or unnecessary users

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SIMATIC WinCC OA V3.18

HOTFIXUpdate SIMATIC WinCC OA V3.18 to patch level P032 or later

SIMATIC WinCC OA V3.19

HOTFIXUpdate SIMATIC WinCC OA V3.19 to patch level P020 or later

SIMATIC WinCC OA V3.20

HOTFIXUpdate SIMATIC WinCC OA V3.20 to patch level P008 or later

Mitigations - no patch available

0/1

SIMATIC PDM Maintenance Station V5.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate engineering and maintenance workstations running WinCC OA and PDM Maintenance Station from the business network using dedicated subnets or network segmentation

CVEs (1)

CVE-2025-47809

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5ea679bd-b29c-4b45-8104-5935537e67d6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.