OTPulse

Siemens WinCC Certificate Manager

Plan PatchCVSS 7.1ICS-CERT ICSA-26-174-01Jun 9, 2026
Siemens
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

WinCC Certificate Manager does not adequately protect stored certificate key material. Versions 16 through 20 of SIMATIC WinCC Unified PC Runtime have no fix planned. Version 21 is vulnerable in all versions prior to Update 2. An attacker with local access could extract certificate keys and use them to compromise secure communications within the control system.

What this means
What could happen
An attacker with local access to a WinCC runtime machine could extract unprotected certificate key material, compromising the security of SCADA communications and potentially enabling them to impersonate legitimate control system components.
Who's at risk
Organizations running Siemens WinCC Unified PC Runtime as their HMI/SCADA platform, particularly those relying on certificate-based authentication for secure communications between control components. This affects utilities and manufacturers using WinCC for process monitoring and control.
How it could be exploited
An attacker who gains local access to the WinCC runtime computer could access stored certificate keys in WinCC Certificate Manager that are not adequately protected, allowing them to extract and reuse those keys for unauthorized communications with other control system devices.
Prerequisites
  • Local access to the WinCC Unified PC Runtime machine
  • User-level privileges sufficient to access certificate storage locations
No remote exploitation possible (local access required)No patch available for versions 16-20Affects confidentiality of certificate keys
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (6)
1 with fix5 EOL
ProductAffected VersionsFix Status
SIMATIC WinCC Unified PC Runtime V16All versionsNo fix (EOL)
SIMATIC WinCC Unified PC Runtime V17All versionsNo fix (EOL)
SIMATIC WinCC Unified PC Runtime V18All versionsNo fix (EOL)
SIMATIC WinCC Unified PC Runtime V19All versionsNo fix (EOL)
SIMATIC WinCC Unified PC Runtime V20All versionsNo fix (EOL)
SIMATIC WinCC Unified PC Runtime V21< 21.0.221 Update 2
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGFor V16 through V20: Restrict local access to WinCC runtime machines to authorized personnel only
HARDENINGFor V16 through V20: Implement operating system-level access controls to protect certificate storage directories on WinCC runtime machines
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SIMATIC WinCC Unified PC Runtime V21
HOTFIXUpdate SIMATIC WinCC Unified PC Runtime V21 to Update 2 or later
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: SIMATIC WinCC Unified PC Runtime V16, SIMATIC WinCC Unified PC Runtime V17, SIMATIC WinCC Unified PC Runtime V18, SIMATIC WinCC Unified PC Runtime V19, SIMATIC WinCC Unified PC Runtime V20. Apply the following compensating controls:
HARDENINGFor V16 through V20: Ensure WinCC runtime machines are physically secured and not exposed to untrusted users
View full CISA ICS-CERT advisory
API: /api/v1/advisories/65ad5973-20c3-4d2d-b617-b175a42d88e0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.