OTPulse
FeedAboutContact

Siemens Web Installer

Plan Patch7.8ICS-CERT ICSA-25-226-22Aug 12, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Multiple Siemens installers are affected by a DLL hijacking vulnerability (CWE-427). When a user runs an installer for one of the affected products, an attacker can place a malicious DLL in the installation directory. Due to the way the installer searches for and loads DLLs, it may load the attacker's malicious library instead of the legitimate one, allowing arbitrary code execution with the privileges of the installing user. The vulnerability exists during the application setup and installation phase. Siemens has released patches for some products and versions, but no fixes are planned for many older or specialized product versions.

What this means
What could happen
An attacker could trick a user into downloading and installing a malicious DLL from the installation directory, allowing the attacker to run arbitrary code with the privileges of the installing user. This could compromise engineering workstations and allow modification of control logic or process parameters.
Who's at risk
This affects multiple Siemens engineering and configuration tools used on Windows systems: TIA Portal and its components (versions 17–20), WinCC HMI software (versions 7.5–8.1), PCS 7 process control libraries and faceplates, SIMATIC management tools, automation software, and device configuration tools. Energy utilities and manufacturers using Siemens automation systems for process control are affected. This is primarily a risk to engineering workstations where software installation occurs, not typically deployed systems.
How it could be exploited
An attacker places a malicious DLL in the installation directory before a user runs the Siemens product installer. When the installer executes, it loads the malicious DLL instead of the legitimate one due to DLL search order hijacking. The attacker gains code execution in the context of the user running the installer.
Prerequisites
  • User with local administrator or sufficient privileges to run the installer
  • Access to the installation directory (e.g., shared network folder or user's Downloads folder)
  • User must actually run the installer application
Local exploitation requiredUser interaction needed (install action)No authentication bypassedAffects engineering/configuration toolsLarge number of products with no fix planned
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (139)
53 with fix86 pending
ProductAffected VersionsFix Status
SIMATIC Energy Suite V18All versionsNo fix yet
SIMATIC Energy Suite V19<V19 Update 419 Update 4
SIMATIC Logon V1.6All versionsNo fix yet
SIMATIC Logon V2.0<V2.0 Upd32.0 Upd3
SIMATIC Management Agent<V9.1 SP1 Upd89.1 SP1 Upd8
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDAlways install applications from a clean, empty directory with no other files present
HARDENINGRestrict local access to installation directories and limit who can write to shared network installation folders
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to the latest patched version for your specific product and version
Long-term hardening
0/1
HARDENINGFor products with no fix planned, harden the application host OS to prevent local access by untrusted personnel
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/cb4bc40c-feee-426c-bc12-a901242f886c
Siemens Web Installer | CVSS 7.8 - OTPulse