An Improper Initialization Vulnerability Affects SIMATIC WinCC Kiosk Mode

Plan Patch7.8SSA-363107May 10, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in SIMATIC WinCC allows authenticated attackers to escape Kiosk Mode restrictions through improper initialization. Kiosk Mode is a restricted operator interface designed to limit user actions to safe operational tasks. By exploiting this flaw, an authenticated user could bypass these restrictions and gain access to the full system. Siemens has released updates for affected versions; however, several product versions are end-of-life with no patches available.

What this means

What could happen

An authenticated attacker with local access could escape Kiosk Mode restrictions on SIMATIC WinCC, potentially gaining full system control and the ability to modify industrial process parameters or halt operations.

Who's at risk

Plant operators and automation engineers using SIMATIC WinCC or PCS 7 systems for process monitoring and control in manufacturing, utilities, and other industrial sectors. Equipment affected includes operator interface terminals, engineering workstations, and HMI/SCADA control stations running WinCC V7.3, V7.4, V7.5, V9.0, V9.1, or WinCC Runtime Professional V16 and V17.

How it could be exploited

An attacker with valid operator credentials and physical or remote local access to a WinCC terminal in Kiosk Mode could exploit improper initialization to break out of the restricted interface. Once escaped, the attacker would have access to the full WinCC system and could reconfigure automation logic, alter process setpoints, or shut down controlled equipment.

Prerequisites

Valid WinCC operator credentials (username and password)
Local network access to WinCC Runtime terminal or engineering workstation
System must be configured in Kiosk Mode (restricted operator interface)

Authenticated access requiredLocal network access requiredLow complexity exploitationAffects interface restrictions (Kiosk Mode bypass)End-of-life products without patches (WinCC V7.3, V16, PCS 7 V8.2)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (8)

5 with fix3 EOL

ProductAffected VersionsFix Status

SIMATIC PCS 7 V9.0All versions < V9.0 SP3 UC069.0 SP3 UC06

SIMATIC PCS 7 V9.1All versions < V9.1 SP1 UC019.1 SP1 UC01

SIMATIC WinCC Runtime Professional V17All versions < V17 Upd417 Upd4

SIMATIC WinCC V7.4All versions < V7.4 SP1 Update 217.4 SP1 Update 21

SIMATIC WinCC V7.5All versions < V7.5 SP2 Update 87.5 SP2 Update 8

SIMATIC PCS 7 V8.2All versionsNo fix (EOL)

SIMATIC WinCC V7.3All versionsNo fix (EOL)

SIMATIC WinCC Runtime Professional V16 and earlierAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict physical and network access to WinCC terminals to authorized personnel only, and audit WinCC user accounts for unnecessary elevated privileges

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMATIC WinCC V7.4

HOTFIXUpdate SIMATIC WinCC V7.4 to SP1 Update 21 or later

SIMATIC WinCC V7.5

HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 8 or later

SIMATIC PCS 7 V9.0

HOTFIXUpdate SIMATIC PCS 7 V9.0 to SP3 UC06 or later

SIMATIC PCS 7 V9.1

HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP1 UC01 or later

SIMATIC WinCC Runtime Professional V17

HOTFIXUpdate SIMATIC WinCC Runtime Professional V17 to Update 4 or later

CVEs (1)

CVE-2022-24287

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ae21274e-c6a3-4106-8b6b-52c0dd7bed6e