OTPulse

Siemens Web Installer

Plan PatchCVSS 7.8ICS-CERT ICSA-25-226-22Aug 12, 2025
SiemensEnergyManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A DLL hijacking vulnerability exists in the installers used for numerous Siemens automation products. When a user installs an affected product, the installer searches for required DLL files. An attacker with access to the local installation directory can place a malicious DLL that matches an expected filename, causing the installer to load and execute the attacker's code with the privileges of the installation process. The vulnerability is present during the setup and installation phase of affected applications downloaded via OSD (Online Software Delivery). Siemens has released patches for some products but states that no fixes are planned for many others. Siemens recommends using clean, empty directories for installation and restricting local access to installation areas.

What this means
What could happen
An attacker with access to the local installation directory could inject a malicious DLL file that executes arbitrary code when a user installs an affected Siemens application, potentially compromising engineering workstations or control system configuration tools.
Who's at risk
Organizations running Siemens automation and control software, particularly those using TIA Portal, SIMATIC WinCC, SIMATIC PCS 7, SIMATIC S7-1500, Process Historian, and related engineering tools on workstations. This affects anyone who installs or updates Siemens industrial control system software, including utilities, chemical plants, power generation, and discrete manufacturing operations.
How it could be exploited
An attacker places a malicious DLL in the directory where a user will extract or run a Siemens product installer. When the installer searches for required DLLs, it loads the attacker's malicious file instead of the legitimate one, executing arbitrary code with the privileges of the installer process and the logged-in user.
Prerequisites
  • Local access to the installation directory before the installer runs
  • User must initiate installation of an affected Siemens product from that directory
  • Attacker must predict the DLL names the installer searches for
Local exploitation only, no remote executionRequires user interaction (installation must be initiated)High number of products affected with no fixes plannedEngineering workstation compromise could lead to control system misconfiguration
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (139)
53 with fix86 pending
ProductAffected VersionsFix Status
SIMATIC Energy Suite V18All versionsNo fix yet
SIMATIC Energy Suite V19<V19 Update 419 Update 4
SIMATIC Logon V1.6All versionsNo fix yet
SIMATIC Logon V2.0<V2.0 Upd32.0 Upd3
SIMATIC Management Agent<V9.1 SP1 Upd89.1 SP1 Upd8
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDWhen installing Siemens products, use an empty directory (new folder with no pre-existing files) to minimize the likelihood of malicious DLLs being present
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

SIMATIC Energy Suite V19
HOTFIXUpdate affected products to the latest patched versions listed in the advisory (e.g., TIA Portal V17 Update 9, SIMATIC Energy Suite V19 Update 4, SIMATIC WinCC Runtime Professional V21)
All products
HARDENINGFor products without available fixes, implement host hardening controls such as file integrity monitoring on installation directories and access controls on workstations where setup occurs
Long-term hardening
0/1
HARDENINGRestrict local access to engineering workstations and installation directories to trusted personnel only
View full CISA ICS-CERT advisory
API: /api/v1/advisories/cb4bc40c-feee-426c-bc12-a901242f886c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens Web Installer | CVSS 7.8 - OTPulse