OTPulse
FeedAboutContact

Siemens SIMATIC S7-PLCSIM

Plan Patch7.8ICS-CERT ICSA-25-226-11Aug 12, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Affected Siemens products do not properly sanitize user-controllable input when parsing project files. A type confusion vulnerability during file parsing could allow arbitrary code execution within the engineering application. Siemens has released fixes for STEP 7 V17 Update 9, V19 Update 4, and V20 Update 4; WinCC V17 Update 9, V19 Update 4, and V20 Update 4; SIMOTION SCOUT TIA V5.6 SP1 HF7; and TIA Portal Cloud V19. No fixes are planned for SIMATIC S7-PLCSIM V17, STEP 7 V18, WinCC V18, SIMOCODE ES (all versions), SIMOTION SCOUT TIA V5.4/5.5/5.7, SINAMICS Startdrive (all versions), SIRIUS Safety ES and Soft Starter ES (all versions), or TIA Portal Cloud V17/V18/V20.

What this means
What could happen
An attacker could execute arbitrary code on engineering workstations running affected Siemens software (STEP 7, WinCC, SIMOTION SCOUT TIA, SIMOCODE ES, SINAMICS Startdrive, SIRIUS, or TIA Portal Cloud) by sending a malicious project file. This could allow them to gain control of the engineering environment and potentially modify control logic deployed to PLCs and motor controllers.
Who's at risk
Manufacturing facilities using Siemens engineering and automation tools should be concerned. This affects multiple product lines: STEP 7 (PLC programming software), WinCC (HMI/SCADA software), SIMOTION SCOUT TIA (motion control), SIMOCODE ES (soft starter engineering), SINAMICS Startdrive (drive control), SIRIUS (safety and soft starters), and TIA Portal Cloud (cloud engineering platform). Any facility with Siemens PLCs, drives, or motion systems that use these engineering tools is affected if they run vulnerable versions.
How it could be exploited
An attacker crafts a malicious project file (.ap* format or similar) that exploits unsafe deserialization in the software's project parser. When an engineer opens the file on a workstation, the type confusion vulnerability in the parsing code executes arbitrary code within the engineering application's process, running with the engineer's privileges.
Prerequisites
  • User interaction required: engineer must open a malicious project file on a workstation running affected software
  • Attacker must deliver the malicious project file to the target (via email, shared drive, or other file transfer)
  • Engineering workstation running one of the affected Siemens products (STEP 7, WinCC, SIMOTION SCOUT TIA, etc.)
User interaction required (engineer must open malicious file)Affects engineering workstations, not runtime systems directlyMany products have no fix availableCould lead to control logic tamperingRequires delivery method (email, file share)Type confusion vulnerability suggests moderate complexity exploit
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (33)
7 with fix26 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 V17<V17 Update 917 Update 9
SIMATIC STEP 7 V18All versionsNo fix yet
SIMATIC STEP 7 V19<V19 Update 419 Update 4
SIMATIC STEP 7 V20<V20 Update 420 Update 4
Remediation & Mitigation
0/11
Do now
0/1
WORKAROUNDOnly open project files from trusted sources; reject or verify projects from unknown or external senders before opening
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to Update 9 or later
SIMATIC STEP 7 V19
HOTFIXUpdate SIMATIC STEP 7 V19 to Update 4 or later
SIMATIC STEP 7 V20
HOTFIXUpdate SIMATIC STEP 7 V20 to Update 4 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to Update 9 or later
SIMATIC WinCC V19
HOTFIXUpdate SIMATIC WinCC V19 to Update 4 or later
SIMATIC WinCC V20
HOTFIXUpdate SIMATIC WinCC V20 to Update 4 or later
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXUpdate TIA Portal Cloud V19 to version 5.2.1.1 or later
Long-term hardening
0/2
HARDENINGEducate engineers about the risk of opening unsolicited project files and implement file transfer controls (scan or quarantine) for project files from external sources
HARDENINGIsolate engineering workstations from general corporate networks and limit outbound network access from engineering workstations
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/179cdf67-1823-46a9-8f32-36e1b2d1d2eb