Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client
Monitor5.4SSA-547714Dec 13, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
SIMATIC WinCC OA Ultralight Client contains an argument injection vulnerability that allows an authenticated remote attacker to inject arbitrary parameters when starting the client via the web interface. An attacker with valid credentials could inject malicious arguments to open unauthorized panels, access sensitive data, or start control scripts on the system.
What this means
What could happen
An attacker with valid credentials could inject parameters to launch unauthorized panels or scripts on the Ultralight Client, potentially allowing them to view sensitive configuration data, alter operational parameters, or execute control logic without proper authorization.
Who's at risk
Organizations running SIMATIC WinCC OA visualization and SCADA systems should prioritize this. Operators of water treatment facilities, electric utilities, chemical plants, and other critical infrastructure using WinCC OA as a supervisory control system are affected. Particularly relevant are systems where the Ultralight Client (web-based remote access) is exposed to untrusted networks or where multiple users with different privilege levels share the same credentials.
How it could be exploited
An attacker with valid WinCC OA credentials crafts a malicious URL or request to the web interface when launching the Ultralight Client, injecting arbitrary parameters into the startup arguments. These injected parameters could specify attacker-chosen panels to open or control scripts to execute, bypassing normal access controls.
Prerequisites
- Valid WinCC OA user credentials (authenticated access required)
- Network access to the WinCC OA web interface
- Ability to craft or send HTTP requests to the web interface
- WinCC OA Ultralight Client must be enabled and accessible via web
Remotely exploitable via web interfaceRequires valid authentication (reduces risk)Low complexity attackLow EPSS score (0.2%)Patch available for all affected versions
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SIMATIC WinCC OA V3.15< V3.15 P0383.15 P038
SIMATIC WinCC OA V3.16< V3.16 P0353.16 P035
SIMATIC WinCC OA V3.17< V3.17 P0243.17 P024
SIMATIC WinCC OA V3.18< V3.18 P0143.18 P014
Remediation & Mitigation
0/7
Do now
0/2HARDENINGRestrict network access to the WinCC OA web interface to trusted IP addresses or networks only
HARDENINGDisable or restrict the Ultralight Client feature if not in active use
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
SIMATIC WinCC OA V3.15
HOTFIXUpdate SIMATIC WinCC OA V3.15 to patch level P038 or later
SIMATIC WinCC OA V3.16
HOTFIXUpdate SIMATIC WinCC OA V3.16 to patch level P035 or later
SIMATIC WinCC OA V3.17
HOTFIXUpdate SIMATIC WinCC OA V3.17 to patch level P024 or later
SIMATIC WinCC OA V3.18
HOTFIXUpdate SIMATIC WinCC OA V3.18 to patch level P014 or later
Long-term hardening
0/1HARDENINGEnforce strong password policies and multi-factor authentication for WinCC OA user accounts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8db183fa-c401-4b4b-bfa0-f84b3b8f6779