OTPulse
FeedAboutContact

Deserialization Vulnerability in Siemens Engineering Platforms

Plan Patch7.8SSA-493396Aug 12, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A deserialization vulnerability in Siemens engineering and automation platform applications allows improper handling of user-controllable input when parsing project files. This could allow an attacker to cause type confusion and execute arbitrary code within the affected application. The vulnerability affects multiple versions of SIMATIC STEP 7, WinCC, SIMOTION SCOUT TIA, SINAMICS Startdrive, and related engineering software. Siemens has released fixes for some versions while others remain unfixed.

What this means
What could happen
An attacker who can deliver a malicious project file could execute arbitrary code on an engineer's workstation running affected Siemens software. This could allow modification of PLC programs, manipulation of automation configurations, or disruption of the engineering environment used to manage production systems.
Who's at risk
Manufacturing engineers and automation specialists using Siemens engineering platforms are at risk. This affects STEP 7 (PLC programming), WinCC (HMI/SCADA engineering), SIMOTION (motion control), SINAMICS Startdrive (drive engineering), SIRIUS Safety/Soft Starter engineering add-ons, SIMOCODE motor control, and TIA Portal Cloud. Any facility using these tools to engineer, configure, or maintain Siemens automation systems should assess their versions.
How it could be exploited
An attacker crafts a malicious Siemens project file (.ap13, .ap14, or similar format) containing specially crafted serialized data. When an engineer opens this file in an affected version of STEP 7, WinCC, or related software, the deserialization code fails to properly validate the input, allowing the attacker's payload to execute with the same privileges as the engineering application.
Prerequisites
  • Engineer must open a malicious project file in an affected Siemens application
  • File delivery method (email, USB, shared network drive, etc.)
  • User must have appropriate access level to open project files in the engineering environment
low complexity exploitationrequires user interaction (file opening)affects safety-critical engineering platformswidespread versions without fixeslarge portion of affected products have no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (33)
7 with fix26 pending
ProductAffected VersionsFix Status
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 V17All versions < V17 Update 917 Update 9
SIMATIC STEP 7 V18All versionsNo fix yet
SIMATIC STEP 7 V19All versions < V19 Update 419 Update 4
SIMATIC STEP 7 V20All versions < V20 Update 420 Update 4
Remediation & Mitigation
0/12
Do now
0/1
SIMOTION SCOUT TIA V5.4
WORKAROUNDFor unfixed products (STEP 7 V18, WinCC V18, SIMOCODE ES all versions, SIMOTION SCOUT TIA V5.4-5.5/5.7, SINAMICS Startdrive all versions, SIRIUS Safety/Soft Starter all versions, PLCSIM V17, TIA Portal Cloud V17-V18), implement strict controls on project file sources and restrict access to engineering workstations from untrusted networks until patches are available
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to Update 9 or later
SIMATIC STEP 7 V19
HOTFIXUpdate SIMATIC STEP 7 V19 to Update 4 or later
SIMATIC STEP 7 V20
HOTFIXUpdate SIMATIC STEP 7 V20 to Update 4 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to Update 9 or later
SIMATIC WinCC V19
HOTFIXUpdate SIMATIC WinCC V19 to Update 4 or later
SIMATIC WinCC V20
HOTFIXUpdate SIMATIC WinCC V20 to Update 4 or later
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXTIA Portal Cloud V19 will be fixed in version 5.2.1.1 and V20 in version 5.2.2.2. Update when available
Long-term hardening
0/3
HARDENINGEstablish a procedure to validate project files for authenticity and scan them with available security tools before opening in affected applications
HARDENINGSegregate engineering networks from production networks and restrict engineer workstation access to trusted users and machines only
HARDENINGEducate engineers not to open project files from untrusted sources, particularly emails or external USB drives
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/31704dd5-ea89-4c25-b010-f678ea2feac2
Deserialization Vulnerability in Siemens Engineering Platforms | CVSS 7.8 - OTPulse