Local Arbitrary Code Execution Vulnerability in Siemens Engineering Platforms before V20
Plan Patch7.3SSA-392859Dec 10, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Affected SIEMENS engineering and simulation platforms contain a local arbitrary code execution vulnerability (CWE-20) that allows an attacker with local workstation access to execute arbitrary code when a user opens a malicious file or project within the design environment. This affects SIMATIC STEP 7 (V17–V19), WinCC (V17–V19), WinCC Unified PC Runtime (V17–V19), PLCSIM (V17–V18), SIMOTION SCOUT TIA (V5.4–V5.6), SINAMICS Startdrive (V17–V19), SIMOCODE ES (V17–V19), SIRIUS Safety ES and Soft Starter ES (V17–V19), and TIA Portal Cloud (V17–V19). Siemens has released fixes for V17 Update 9, V19 Update 4, and SIMOTION SCOUT TIA V5.6 SP1 HF7; no fixes are planned for V18 product lines and several other products. Customers should update to TIA Portal V20 where available, as it is not affected.
What this means
What could happen
An attacker with local access to an engineering workstation could execute arbitrary code on the system, potentially allowing manipulation of PLC programs, HMI configurations, or safety-critical logic before deployment to production equipment. This could alter control setpoints, disable interlocks, or modify device parameters without detection.
Who's at risk
Manufacturing facilities using Siemens TIA Portal (STEP 7, WinCC, PLCSIM) and related engineering platforms on workstations are affected. This includes: automation engineers and technicians using design environments, facilities with offline PLC/HMI configuration workflows, sites using WinCC Unified for supervisory control, and operations managing motion control via SIMOTION SCOUT TIA or variable frequency drives (SINAMICS Startdrive). Any site where control logic is developed or modified on engineering workstations before deployment to live systems is at risk.
How it could be exploited
An attacker must gain local access to an engineering workstation running the affected STEP 7, WinCC, PLCSIM, or related design platform. They then trigger the vulnerability through user interaction (opening a malicious file or crafted project), which executes arbitrary code with the privileges of the engineering user. The attacker can then modify PLC or HMI configurations offline before they are deployed to live control systems.
Prerequisites
- Local access to the engineering workstation (physical or remote desktop)
- Presence of a vulnerable version of STEP 7, WinCC, PLCSIM, SIMOTION SCOUT TIA, or related TIA Portal product
- User interaction required: engineer must open a malicious file or project within the design environment
Local access requiredLow complexity exploitUser interaction required (opens file)High CVSS (7.3)No patch available for multiple products (V18 lines, PLCSIM, Startdrive, SIRIUS)Affects engineering environment, not directly exploitable remotely on production systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (34)
10 with fix24 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC S7-PLCSIM V18All versionsNo fix yet
SIMATIC STEP 7 Safety V17All versions < V17 Update 917 Update 9
SIMATIC STEP 7 Safety V18All versionsNo fix yet
SIMATIC STEP 7 Safety V19All versions < V19 Update 419 Update 4
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to Update 9 or later, STEP 7 V19 to Update 4 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to Update 9 or later, WinCC V19 to Update 4 or later, and WinCC Unified products to corresponding Update 9 or Update 4 versions
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXMigrate TIA Portal Cloud instances to V5.2.1.1 or later (which uses underlying V19 Update 4 or later)
Long-term hardening
0/2SINAMICS Startdrive V17
HARDENINGFor products with no fix available (STEP 7 V18, WinCC V18, PLCSIM V17/V18, SINAMICS Startdrive V17-V19, SIRIUS Safety ES, SIRIUS Soft Starter ES, TIA Portal Cloud V17-V18), restrict engineering workstation access to trusted personnel only and implement network segmentation to limit lateral movement if a workstation is compromised
All products
HARDENINGAudit stored PLC and HMI projects for unauthorized modifications; maintain change logs and version control of all control configurations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d82d322e-10c2-43f9-9c18-708377f61f57