Remote Code Execution Vulnerability in SIMATIC SCADA and PCS 7 systems
Act Now9.1SSA-629254Sep 10, 2024
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
The SIMATIC SCADA, WinCC HMI, Process Historian, and Information Server products contain a remote code execution vulnerability that allows an authenticated remote attacker to execute arbitrary code with high system privileges. The attacker must possess valid credentials (engineering or operator access) to exploit the vulnerability. Siemens has released patches for most affected versions. Legacy products (SIMATIC BATCH V9.1 and SIMATIC WinCC V7.4) will not receive patches and require compensating controls.
What this means
What could happen
An authenticated attacker could execute arbitrary code with high privileges on your SCADA and HMI systems, potentially allowing manipulation of process setpoints, halting operations, or corrupting historical data used for compliance and diagnostics.
Who's at risk
This vulnerability affects electric utilities and other critical infrastructure operators running Siemens SIMATIC SCADA, HMI (WinCC), and data historian systems. Impact spans both legacy systems (WinCC V7.x, BATCH V9.1, PCS 7 V9.1) and modern versions (WinCC Runtime Professional, Process Historian, Information Server 2020/2022). Any facility using these for real-time process monitoring or historical data retention should assess their exposure.
How it could be exploited
An attacker with valid credentials to a SIMATIC SCADA, WinCC, Process Historian, or Information Server system could send a specially crafted remote request to execute arbitrary commands with system-level privileges. The attacker must already have authentication credentials (engineering access or operator credentials) to succeed.
Prerequisites
- Valid authentication credentials for the SIMATIC system (engineering workstation or operator login)
- Network access to the affected SIMATIC application port (typically 102 for S7 communication or web service ports for WinCC/Historian)
- The application must be running and accessible from the attacker's network location
remotely exploitablerequires authentication (reduces immediate risk, but insider threat remains)affects SCADA and HMI core systemsaffects systems storing critical operational historyno patch available for legacy versions (V7.4, BATCH V9.1)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (11)
9 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC Information Server 2020All versions < V2020 SP2 Update 52020 SP2 Update 5
SIMATIC Information Server 2022All versions < V2022 SP1 Update 22022 SP1 Update 2
SIMATIC PCS 7 V9.1All versions < V9.1 SP2 UC069.1 SP2 UC06
SIMATIC Process Historian 2020All versions < V2020 SP2 Update 52020 SP2 Update 5
SIMATIC Process Historian 2022All versions < V2022 SP1 Update 22022 SP1 Update 2
SIMATIC WinCC Runtime Professional V18All versions < V18 Update 518 Update 5
SIMATIC WinCC Runtime Professional V19All versions < V19 Update 319 Update 3
SIMATIC WinCC V7.5All versions < V7.5 SP2 Update 187.5 SP2 Update 18
Remediation & Mitigation
0/12
Do now
0/1SIMATIC BATCH V9.1
WORKAROUNDFor SIMATIC BATCH V9.1 and SIMATIC WinCC V7.4 (no patch available), deploy application-level access controls such as IP whitelisting or VPN requirements for remote connections to these systems
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
SIMATIC WinCC Runtime Professional V18
HOTFIXUpdate SIMATIC WinCC Runtime Professional V18 to Update 5 or later
SIMATIC WinCC Runtime Professional V19
HOTFIXUpdate SIMATIC WinCC Runtime Professional V19 to Update 3 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 18 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to Update 5 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP2 UC06 or later
SIMATIC Information Server 2020
HOTFIXUpdate SIMATIC Information Server 2020 to SP2 Update 5 or later
SIMATIC Information Server 2022
HOTFIXUpdate SIMATIC Information Server 2022 to SP1 Update 2 or later
SIMATIC Process Historian 2020
HOTFIXUpdate SIMATIC Process Historian 2020 to SP2 Update 5 or later
SIMATIC Process Historian 2022
HOTFIXUpdate SIMATIC Process Historian 2022 to SP1 Update 2 or later (available as bundled version in PCS neo V5.0 Update 1)
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC BATCH V9.1, SIMATIC WinCC V7.4. Apply the following compensating controls:
HARDENINGFor SIMATIC BATCH V9.1 and SIMATIC WinCC V7.4 (no patch available), implement network segmentation to restrict access to these systems from untrusted networks and limit access to authorized engineering workstations only
HARDENINGAudit and disable unnecessary remote access capabilities on all SIMATIC systems; ensure that only authorized personnel and systems can reach these applications
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0575c64f-fa65-431c-80b5-87d3e24169c4