Deserialization Vulnerability in Siemens Engineering Platforms before V20

Plan Patch7.8SSA-800126Dec 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Affected Siemens engineering products do not properly sanitize user-controllable input when parsing files, allowing an attacker to cause type confusion and execute arbitrary code within the affected application. The vulnerability impacts multiple product families across the TIA Portal suite, including WinCC, STEP 7, STEP 7 Safety, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety tools, and others. Siemens has released patches for V17 Update 9, V19 Update 4, and SIMOTION SCOUT TIA V5.6 SP1 HF7. Products based on TIA Portal V20 are not affected. Many older versions (V16, V18, and all versions of SIMOCODE ES, SINAMICS Startdrive, SIMOTION SCOUT V5.4/5.5, and SIRIUS products) have no fix planned.

What this means

What could happen

An attacker could craft a malicious file that exploits how these engineering workstations parse input, allowing arbitrary code execution on the engineering computer—potentially compromising PLC program development and deployment.

Who's at risk

Manufacturing engineers and operators using Siemens TIA Portal engineering suite products should care about this. It affects WinCC (HMI/SCADA visualization), STEP 7 (PLC programming), SIMOTION SCOUT (motion control), SINAMICS Startdrive (drive engineering), SIRIUS Safety tools (safety logic design), and related configuration tools. If you use any version of these tools to program or configure Siemens automation equipment (PLCs, drives, safety modules), you are affected.

How it could be exploited

An attacker delivers a crafted file (project, configuration, or data file) to an engineer via email or shared drive. When the engineer opens it in an affected Siemens engineering tool (WinCC, STEP 7, etc.), the application fails to sanitize the input during deserialization, triggering a type confusion that executes the attacker's code within the engineering workstation's context.

Prerequisites

User interaction required: engineer must open the malicious file in an affected Siemens engineering application
Access to the engineering workstation or ability to deliver a file to it
The affected product installed and in use

Requires user interaction to exploitLow complexity attackNo authentication requiredHigh CVSS score (7.8)Many products with no fix availableAffects engineering/safety-critical software

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (39)

9 with fix30 pending

ProductAffected VersionsFix Status

SIMATIC WinCC Unified V18All versionsNo fix yet

SIMATIC WinCC Unified V19All versions < V19 Update 419 Update 4

SIMATIC WinCC V16All versionsNo fix yet

SIMATIC WinCC V17All versions < V17 Update 917 Update 9

SIMATIC WinCC V18All versionsNo fix yet

Remediation & Mitigation

0/14

Do now

0/2

SIRIUS Safety ES V17 (TIA Portal)

WORKAROUNDFor products without fixes (V16, early V18, SIMOCODE ES, SINAMICS Startdrive, SIRIUS Safety/Soft Starter, S7-PLCSIM, TIA Portal Cloud V19 <5.2.1.1), restrict file access and implement strict file validation procedures; review incoming project files for tampering before opening in engineering tools

All products

HARDENINGRestrict download and opening of project files and configurations to trusted internal sources only; disable external file sharing to engineering workstations

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

SIRIUS Safety ES V17 (TIA Portal)

HOTFIXMigrate to TIA Portal V20 or later to eliminate this vulnerability

All products

HARDENINGImplement network segmentation to isolate engineering workstations from untrusted networks and limit lateral movement if a workstation is compromised

CVEs (1)

CVE-2024-49849

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close