OTPulse
FeedAboutContact

Client-side Authentication in SIMATIC WinCC OA

Act Now9.8SSA-111512Jun 21, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMATIC WinCC OA implements client-side only authentication when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated. Server-side authentication is available since V3.15 and is the default configuration since V3.17.

What this means
What could happen
An attacker without credentials could impersonate authorized operators or engineers and send commands to WinCC OA servers, potentially altering process setpoints, stopping equipment, or accessing sensitive operational data.
Who's at risk
Operators and engineers at water utilities, electric utilities, and manufacturing plants that use SIMATIC WinCC OA for SCADA/HMI systems. Any facility that relies on WinCC OA to monitor or control PLCs, field devices, or process equipment is affected if running V3.16 with default settings or V3.17–V3.18 without explicit server-side authentication enabled.
How it could be exploited
An attacker on the network sends crafted requests to the WinCC OA client-server port (default 4842) and can spoof user identity because the server does not authenticate the client. The attacker can then inject commands as if they were a legitimate operator.
Prerequisites
  • Network access to WinCC OA client-server port (default 4842)
  • WinCC OA project configured in default mode without server-side authentication (SSA) or Kerberos enabled
  • No network-layer authentication or encryption in place
remotely exploitableno authentication requiredlow complexitydefault credentials / default insecure configurationaffects safety systems
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (3)
2 pending1 EOL
ProductAffected VersionsFix Status
SIMATIC WinCC OA V3.17All versions in non-default configurationNo fix yet
SIMATIC WinCC OA V3.18All versions in non-default configurationNo fix yet
SIMATIC WinCC OA V3.16All versions in default configurationNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
WORKAROUNDEnable server-side authentication (SSA) for your WinCC OA project
WORKAROUNDIf SSA is not suitable, enable Kerberos authentication instead
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf running WinCC OA V3.16, upgrade to V3.17 or later to receive SSA as the default secure configuration
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/28d93581-f8fc-48da-b42d-ed6c9add785d