Deserialization Vulnerability in Siemens Engineering Platforms
Plan Patch8.2SSA-693808Aug 12, 2025
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
The affected Siemens engineering products do not properly restrict access permissions to a Windows Named Pipe and do not sanitize user-controllable input sent to that pipe. A local authenticated attacker could exploit improper type handling during deserialization to cause type confusion and execute arbitrary code within the affected application and its privileges. Affected products include SIMATIC PCS neo (all V4.1, V5.0, V6.0), SIMATIC S7-PLCSIM V17, SIMATIC STEP 7 (V17, V18, V19, V20), SIMATIC WinCC (V17, V18, V19, V20), SIMOCODE ES (V17–V20), SIMOTION SCOUT TIA (V5.4–V5.7), SINAMICS Startdrive (V17–V20), SIRIUS Safety ES (V17–V20), SIRIUS Soft Starter ES (V17–V20), TIA Portal Cloud (V17, V18, V19, V20), and TIA Portal Test Suite V20.
What this means
What could happen
A local attacker with Windows logon credentials could send malicious data to an engineering workstation and execute arbitrary code with the privileges of the engineering application (STEP 7, WinCC, etc.), potentially allowing manipulation of PLC programs and process control parameters before deployment to production systems.
Who's at risk
Manufacturing facilities using Siemens engineering platforms to design and deploy PLC control logic. This affects engineering teams and planners who use STEP 7, WinCC, SINAMICS Startdrive, SIMOTION SCOUT TIA, SIMOCODE ES, SIRIUS Safety ES, and SIRIUS Soft Starter ES tools to program and configure automation systems. TIA Portal Cloud users are also affected. The vulnerability does not directly compromise running production PLCs, but could allow tampering with logic before it is uploaded to devices.
How it could be exploited
An attacker with local access and valid Windows credentials opens the affected Siemens engineering software (STEP 7, WinCC, SINAMICS Startdrive, or SIMOTION SCOUT TIA). The attacker sends a specially crafted input to the Windows Named Pipe that the application uses internally, exploiting insufficient input validation and type confusion in deserialization. This allows code execution within the engineering application's security context.
Prerequisites
- Local access to Windows engineering workstation or TIA Portal server
- Valid Windows user account credentials (does not require administrator or engineering-level privileges)
- Affected Siemens engineering product installed (STEP 7, WinCC, SINAMICS Startdrive, SIMOTION SCOUT TIA, or SIMOCODE ES)
Local access required (lower risk than remote)Low-to-medium complexity exploitationRequires valid Windows credentials (standard user level sufficient)Type confusion in deserialization (common exploitation primitive)No fix available for many product versions (PCS neo, STEP 7 V18, WinCC V18, SIMOCODE ES, SIMOTION SCOUT TIA V5.4/5.5/5.7, SINAMICS Startdrive, SIRIUS Safety ES, SIRIUS Soft Starter ES, TIA Portal Cloud V17/V18)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (37)
8 with fix29 pending
ProductAffected VersionsFix Status
SIMATIC PCS neo V4.1All versionsNo fix yet
SIMATIC PCS neo V5.0All versionsNo fix yet
SIMATIC PCS neo V6.0All versionsNo fix yet
SIMATIC S7-PLCSIM V17All versionsNo fix yet
SIMATIC STEP 7 V17All versions < V17 Update 917 Update 9
Remediation & Mitigation
0/11
Do now
0/1WORKAROUNDRestrict local logon access to engineering workstations: disable or limit interactive Windows user accounts that do not require daily access to STEP 7, WinCC, or other affected tools
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 V17
HOTFIXUpdate SIMATIC STEP 7 V17 to Update 9 or later
SIMATIC STEP 7 V19
HOTFIXUpdate SIMATIC STEP 7 V19 to Update 4 or later
SIMATIC STEP 7 V20
HOTFIXUpdate SIMATIC STEP 7 V20 to Update 4 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to Update 9 or later
SIMATIC WinCC V19
HOTFIXUpdate SIMATIC WinCC V19 to Update 4 or later
SIMATIC WinCC V20
HOTFIXUpdate SIMATIC WinCC V20 to Update 4 or later
SIMOTION SCOUT TIA V5.6
HOTFIXUpdate SIMOTION SCOUT TIA V5.6 to SP1 HF7 or later
SIRIUS Safety ES V17 (TIA Portal)
HOTFIXUpdate TIA Portal Test Suite V20 to Update 4 or later
Long-term hardening
0/2SIRIUS Safety ES V17 (TIA Portal)
HARDENINGMonitor and control physical and remote access to engineering workstations and TIA Portal servers; implement badge readers or VPN access controls to prevent unauthorized local logon
All products
HARDENINGApply Windows principle of least privilege: ensure engineering workstation users run STEP 7, WinCC, and related tools as standard users, not as local or domain administrators
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7b493de4-2008-4b20-8bd2-5bedd2c9b4c3