Privilege Escalation Vulnerability in WIBU CodeMeter Runtime Affecting Siemens Products
Plan Patch8.2SSA-331739Aug 12, 2025
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
A privilege escalation vulnerability exists in WIBU CodeMeter Runtime, a licensing library integrated into several Siemens industrial automation products. An attacker with local access and elevated privileges could escalate their permissions further, potentially gaining full control of the engineering workstation or automation server. The vulnerability affects SIMATIC WinCC OA (multiple versions) and SIMATIC PDM Maintenance Station V5.0.
What this means
What could happen
An attacker with local administrative access to a WinCC OA server or PDM Maintenance Station could gain unrestricted control of that system, potentially enabling them to alter process configurations, modify setpoints, disable alarms, or interfere with remote communications to field devices.
Who's at risk
Manufacturing facilities, water treatment plants, and power utilities using Siemens SIMATIC WinCC OA (versions 3.18, 3.19, 3.20) for SCADA/HMI operations or SIMATIC PDM Maintenance Station for field device management. Any organization with engineering workstations or centralized automation servers running these products is at risk if local access controls are not strictly enforced.
How it could be exploited
An attacker must first gain local access to the engineering workstation or automation server (physical access or prior compromise). With administrative or high-privilege credentials already obtained, the attacker exploits the CodeMeter Runtime flaw to escalate to full system control, bypassing any remaining access restrictions. Once compromised, the attacker can manipulate HMI/SCADA configurations, modify controller logic, or deny service to operators.
Prerequisites
- Local access to the affected workstation or server
- High-privilege user account on the Windows system (administrator or equivalent)
- CodeMeter Runtime component present in a vulnerable version
High-privilege prerequisite (reduces immediate risk in segmented networks)Local access required (not remotely exploitable from network)No patch available for SIMATIC PDM Maintenance Station V5.0Affects safety and control system configuration capabilities
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
3 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PDM Maintenance Station V5.0All versionsNo fix (EOL)
SIMATIC WinCC OA V3.18All versions < V3.18 P0323.18 P032
SIMATIC WinCC OA V3.19All versions < V3.19 P0203.19 P020
SIMATIC WinCC OA V3.20All versions < V3.20 P0083.20 P008
Remediation & Mitigation
0/7
Do now
0/2SIMATIC PDM Maintenance Station V5.0
HARDENINGFor SIMATIC PDM Maintenance Station V5.0 (no fix available), restrict physical and remote access to the workstation, enforce strong access controls, and monitor for unauthorized configuration changes
All products
WORKAROUNDDisable or restrict access to CodeMeter licensing services on PDM Maintenance Station V5.0 systems if functionality allows
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SIMATIC WinCC OA V3.18
HOTFIXUpdate SIMATIC WinCC OA V3.18 to patch level P032 or later
SIMATIC WinCC OA V3.19
HOTFIXUpdate SIMATIC WinCC OA V3.19 to patch level P019 or later
SIMATIC WinCC OA V3.20
HOTFIXUpdate SIMATIC WinCC OA V3.20 to patch level P008 or later
Mitigations - no patch available
0/2SIMATIC PDM Maintenance Station V5.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate engineering workstations and automation servers from general IT networks
HARDENINGEnforce principle of least privilege: ensure operators and technicians use non-administrative accounts for routine tasks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c9bc3f1c-d791-4bc8-9eb8-6aebefe604be