Siemens SIMATIC S7-PLCSIM
Plan PatchCVSS 7.8ICS-CERT ICSA-25-226-11Aug 12, 2025
SiemensManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Multiple Siemens engineering tools (SIMATIC STEP 7, SIMATIC WinCC, SIMATIC S7-PLCSIM, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, SIRIUS Soft Starter ES, and TIA Portal Cloud) do not properly sanitize user input when parsing project files. This CWE-502 (type confusion) vulnerability could allow arbitrary code execution within the affected application when a malicious project file is opened. The vulnerability is local to the engineering workstation and requires user interaction to exploit.
What this means
What could happen
An attacker with access to a Siemens engineering workstation could craft a malicious project file that, when opened, executes arbitrary code within the engineering application with the same privileges as the operator. This could allow manipulation of PLC logic, HMI configurations, or control system designs before deployment to production equipment.
Who's at risk
Manufacturing organizations using Siemens TIA Portal engineering tools including STEP 7, WinCC, SIMATIC S7-PLCSIM, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, and SIRIUS Soft Starter ES. The impact is highest for facilities where engineers regularly work with automation projects from external sources or where project file repositories are shared across teams.
How it could be exploited
An attacker creates a malicious .ap17, .ap18, .ap19, or .ap20 project file (or equivalent for other affected tools) containing crafted input that triggers type confusion during file parsing. The file is delivered via email, shared project repository, or social engineering to an engineer or technician. When the engineer opens the file in STEP 7, WinCC, or other affected Siemens software, the type confusion vulnerability allows code execution within the application context.
Prerequisites
- Access to an engineering workstation running an affected Siemens tool (STEP 7, WinCC, SIMATIC S7-PLCSIM, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, or SIRIUS Soft Starter ES)
- User interaction required: an engineer or technician must open a malicious project file
- No authentication required beyond normal access to the workstation
Low complexity attackUser interaction requiredAffects engineering tools used to program PLCs and safety systemsMany affected products have no fix available yetPotential for widespread impact across Siemens TIA Portal ecosystem
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (33)
7 with fix26 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 V17<V17 Update 917 Update 9
SIMATIC STEP 7 V18All versionsNo fix yet
SIMATIC STEP 7 V19<V19 Update 419 Update 4
SIMATIC STEP 7 V20<V20 Update 420 Update 4
Remediation & Mitigation
0/12
Do now
0/2WORKAROUNDRestrict project file sources to trusted engineering teams and disable automatic file opening from untrusted sources
WORKAROUNDImplement file integrity checking on engineering project libraries to detect unauthorized modifications
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to version 17 Update 9 or later
SIMATIC STEP 7 V19
HOTFIXUpdate SIMATIC STEP 7 V19 to version 19 Update 4 or later
SIMATIC STEP 7 V20
HOTFIXUpdate SIMATIC STEP 7 V20 to version 20 Update 4 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to version 17 Update 9 or later
SIMATIC WinCC V19
HOTFIXUpdate SIMATIC WinCC V19 to version 19 Update 4 or later
SIMATIC WinCC V20
HOTFIXUpdate SIMATIC WinCC V20 to version 20 Update 4 or later
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to version 5.6 SP1 HF7 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXUpdate TIA Portal Cloud V19 to version 5.2.1.1 or later and then update STEP 7 V19 to Update 4 or later
HOTFIXUpdate TIA Portal Cloud V20 to version 5.2.2.2 or later
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate engineering workstations from untrusted networks and restrict email delivery of project files to engineering zones
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/179cdf67-1823-46a9-8f32-36e1b2d1d2ebGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.