OTPulse
FeedAboutContact

DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery

Plan Patch7.8SSA-282044Aug 12, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A DLL hijacking vulnerability in the Siemens Web Installer component affects over 100 Siemens automation products including TIA Portal, SIMATIC WinCC, SIMATIC PCS 7, and related engineering tools. The vulnerability allows arbitrary code execution during the installation phase when users download and install affected products via Online Software Delivery (OSD). An attacker can place a malicious DLL in a location where the installer searches for dependencies, causing the legitimate application to load and execute the attacker's code with the privileges of the user performing the installation. The vulnerability poses a direct risk only during setup and installation, not during runtime operation of deployed systems. However, compromising the engineering environment could allow an attacker to inject malicious logic into control programs before deployment to production PLCs and HMI systems.

What this means
What could happen
An attacker can execute arbitrary code on an engineering workstation or deployment system during the installation of affected Siemens automation software. This could compromise the engineering environment and allow manipulation of control logic or process configurations before they are deployed to production systems.
Who's at risk
Energy and manufacturing organizations using Siemens automation platforms should prioritize this. Primary concern is SIMATIC WinCC (HMI/visualization), TIA Portal (the main engineering platform for PLCs and automation), SIMATIC PCS 7 (process automation), and related engineering tools. Over 100 Siemens products are affected, spanning HMI systems, PLC configuration tools, process libraries, and project management platforms. Engineering workstations, deployment systems, and any machine running these tools during setup are at risk.
How it could be exploited
An attacker places a malicious DLL file in a location where the Siemens Web Installer will search for dependencies during setup (e.g., a shared network folder or local directory). When a user downloads and installs an affected Siemens product via Online Software Delivery (OSD), the installer loads the attacker's DLL instead of the legitimate one, executing arbitrary code with the privileges of the installing user.
Prerequisites
  • User must initiate installation of an affected Siemens product
  • Attacker must have ability to place a malicious DLL in a location searched by the installer (local access, shared network folder, or compromised download path)
  • No special credentials or authentication required to exploit
Local attack vector (requires user to run installer)No authentication requiredLow complexity exploitAffects engineering environment with access to production systemsExtensive product coverage (100+ affected products)Many products have no fix available (unfixed or EOL)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (139)
53 with fix86 pending
ProductAffected VersionsFix Status
SIMATIC STEP 7 V5.7All versionsNo fix yet
SIMATIC TargetAll versions < V6.0 SP36.0 SP3
SIMATIC WinCC flexible ESAll versionsNo fix yet
SIMATIC WinCC Runtime AdvancedAll versions < V17 Update 917 Update 9
SIMATIC WinCC Runtime Professional< 2121
Remediation & Mitigation
0/11
Do now
0/3
SIMATIC STEP 7 V5.7
WORKAROUNDFor products with no fix available (SIMATIC STEP 7 V5.7, SIMATIC WinCC flexible ES, SIMATIC WinCC Runtime Professional V20, and others), apply network segmentation and access controls to limit who can trigger installations
All products
HARDENINGDownload installers only from official Siemens channels and verify their integrity before execution
HARDENINGRestrict write access to folders where installers may search for DLLs; use network security controls to prevent unauthorized placement of files in shared directories
Schedule — requires maintenance window
0/7

Patching may require device reboot — plan for process interruption

Totally Integrated Automation Portal (TIA Portal) V17
HOTFIXUpdate TIA Portal V17 to Update 9 or later, V19 to Update 4 or later, V20 to Update 4 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 20 or later, V8.0 to Update 8 or later, V8.1 to Update 3 or later
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to V17 Update 9 or later, SIMATIC WinCC Runtime Professional to V21 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP1 UC08 or later, V10.0 to SP1 UC01 or later
MultiFieldbus Configuration Tool (MFCT)
HOTFIXUpdate MultiFieldbus Configuration Tool (MFCT) to V1.5.5.0 or later
SIMATIC Management Agent
HOTFIXUpdate SIMATIC Management Agent and SIMATIC Management Console to V9.1 SP1 Upd8 or later
SIMATIC S7-1500 Software Controller V3
HOTFIXUpdate SIMATIC S7-1500 Software Controller V3 to V31.1.5 or later
Long-term hardening
0/1
HARDENINGRun installations only on dedicated engineering workstations with restricted network access and monitor installation activity
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fd9b91f4-13d0-4e32-85bf-25c6288f6d1f