Unquoted Search Path Vulnerability in Windows-based Industrial Software Applications
Plan Patch8.8SSA-312271Jun 9, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A local privilege escalation vulnerability in multiple Siemens industrial automation products allows a user-level attacker to execute arbitrary code with SYSTEM privileges by exploiting unquoted search paths in Windows application startup. An attacker with a user account on an engineering workstation can place a malicious executable in a directory within the application's library search path. When the vulnerable Siemens application launches, Windows locates and executes the attacker's file instead of the legitimate library, granting the attacker full system control. This vulnerability affects STEP 7 (TIA Portal) across versions 13–16, SIMATIC WinCC visualization software, SINAMICS drive engineering tools, SINUMERIK CNC software, and numerous other industrial engineering applications.
What this means
What could happen
A local attacker with user-level access to a Windows engineering workstation could exploit an unquoted search path to run arbitrary code with system privileges, potentially allowing them to alter PLC programs, modify control setpoints, or disable safety interlocks on critical infrastructure equipment.
Who's at risk
Manufacturing facilities using Siemens industrial automation software, particularly organizations running STEP 7 (TIA Portal), WinCC visualization platforms, SINUMERIK CNC systems, SINAMICS drive software, or SIMATIC control systems on Windows engineering workstations. This affects design and engineering environments where PLCs, motor drives, and machine controllers are programmed and configured.
How it could be exploited
An attacker with a user account on an engineering workstation places a malicious executable in a directory within the Windows search path before a legitimately installed Siemens application launches. When the application searches for a library without quotes around the path, Windows executes the attacker's file instead of the intended library, granting the attacker system-level privileges.
Prerequisites
- Local user account on the Windows engineering workstation where Siemens software is installed
- Write access to a directory in the application's search path (typically Program Files or a subdirectory)
- The vulnerable Siemens application must be launched by a user or service running with higher privileges
Local privilege escalation to system levelLow complexity attack requiring only local accessAffects multiple critical engineering platforms across Siemens portfolioSIMATIC NET PC Software V15 has no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (27)
26 with fix1 pending
ProductAffected VersionsFix Status
SIMATIC Automation Tool< V4 SP24 SP2
SIMATIC NET PC Software V14< V14 SP1 Update 1414 SP1 Update 14
SIMATIC NET PC Software V15All versionsNo fix yet
SIMATIC NET PC Software V16< V16 Upd316 Upd3
SIMATIC PCS neo< V3.0 SP13.0 SP1
Remediation & Mitigation
0/28
Schedule — requires maintenance window
0/26Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 (TIA Portal) V13
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V13 to SP2 Update 4 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V14 to SP1 Update 10 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V15 to 15.1 Update 5 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V16 to Update 2 or later
SIMATIC STEP 7 V5
HOTFIXUpdate SIMATIC STEP 7 V5 to 5.6 SP2 HF3 or later
SIMATIC Automation Tool
HOTFIXUpdate SIMATIC Automation Tool to V4 SP2 or later
SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software V14 to SP1 Update 14 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software V16 to Update 3 or later
SIMATIC PCS neo
HOTFIXUpdate SIMATIC PCS neo to V3.0 SP1 or later
SIMATIC ProSave
HOTFIXUpdate SIMATIC ProSave to V17 or later
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to V21.8 or later
SIMATIC WinCC OA V3.16
HOTFIXUpdate SIMATIC WinCC OA V3.16 to P018 or later
SIMATIC WinCC OA V3.17
HOTFIXUpdate SIMATIC WinCC OA V3.17 to P003 or later
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to V16 Update 2 or later
SIMATIC WinCC Runtime Professional V13
HOTFIXUpdate SIMATIC WinCC Runtime Professional V13 to SP2 Update 4 or later
SIMATIC WinCC Runtime Professional V14
HOTFIXUpdate SIMATIC WinCC Runtime Professional V14 to SP1 Update 10 or later
SIMATIC WinCC Runtime Professional V15
HOTFIXUpdate SIMATIC WinCC Runtime Professional V15 to 15.1 Update 5 or later
SIMATIC WinCC Runtime Professional V16
HOTFIXUpdate SIMATIC WinCC Runtime Professional V16 to Update 2 or later
SIMATIC WinCC V7.4
HOTFIXUpdate SIMATIC WinCC V7.4 to SP1 Update 14 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP1 Update 3 or later
SINAMICS Startdrive
HOTFIXUpdate SINAMICS Startdrive to V16 Update 3 or later
SINAMICS STARTER
HOTFIXUpdate SINAMICS STARTER to V5.4 HF2 or later
SINEC NMS
HOTFIXUpdate SINEC NMS to V1.0 SP2 or later
SINEMA Server
HOTFIXUpdate SINEMA Server to V14 SP3 or later
SINUMERIK ONE virtual
HOTFIXUpdate SINUMERIK ONE virtual to V6.14 or later
SINUMERIK Operate
HOTFIXUpdate SINUMERIK Operate to V6.14 or later
Long-term hardening
0/2HARDENINGRestrict local user account permissions on engineering workstations to limit write access to Program Files and system directories
HARDENINGImplement file integrity monitoring on Siemens software installation directories to detect unauthorized executable placement
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d70df602-a980-46c6-981f-74d84a17b9ee