Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products
Act Now9.9SSA-840188Nov 9, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple path traversal and sensitive data exposure vulnerabilities (CWE-22, CWE-532) in SIMATIC WinCC and related SIMATIC products allow authenticated users to escalate privileges and read, write, or delete critical files on affected systems. The vulnerabilities exist in a shared component (SIMATIC Communication Services - SCS) used across multiple Siemens industrial automation products. Patching one product may remediate the issue across other products sharing the same installation. Affected product lines include SIMATIC PCS 7 (versions 8.2 through 9.1), SIMATIC WinCC (versions 7.4 through 17), SIMATIC Route Control (8.2 through 9.1), SIMATIC BATCH (8.2 through 9.1), OpenPCS 7 (8.2 through 9.1), and SIMATIC NET PC Software (14 through 17). Siemens has released patches for many products but significant product versions remain unpatched.
What this means
What could happen
An authenticated attacker with local or network access to a SIMATIC system could escalate privileges and read, write, or delete critical configuration and process files, potentially disrupting control system operations or enabling further system compromise. The shared component vulnerability means a single attack path could compromise multiple SIMATIC applications on the same engineering or control workstation.
Who's at risk
This vulnerability affects industrial control system operators and engineers using Siemens SIMATIC automation software. Primary concern: utilities and manufacturers running SIMATIC PCS 7 process control systems, SIMATIC WinCC human-machine interfaces (HMIs), SIMATIC BATCH batch processing systems, SIMATIC Route Control for network routing, and SIMATIC NET PC networking software. Any organization using these products for critical process control, power distribution, water treatment, manufacturing, or chemical processing should assess their exposure. The shared component vulnerability means multiple applications on a single engineering workstation or control server could be compromised simultaneously.
How it could be exploited
An authenticated user (such as a compromised operator account or engineering workstation user) exploits a path traversal flaw in the SIMATIC Communication Services shared component to access files outside intended directories. By writing malicious files to sensitive locations, the attacker could modify process setpoints, disable alarms, or corrupt the control logic database. Alternatively, the attacker reads critical files (process databases, user credentials, configuration files) to gain information for lateral movement or persistence.
Prerequisites
- Valid user credentials (operator, engineer, or service account) to access the SIMATIC application
- Local or network access to the affected SIMATIC software component
- The application must be running and the shared SIMATIC Communication Services (SCS) component must be loaded
- Ability to interact with file system paths accessible through the WinCC or PCS 7 interface
Authenticated access required (reduces risk for air-gapped systems, but insider threat or compromised operator accounts are concerning)Path traversal vulnerability allows reading and writing critical filesAffects foundational automation platform (SIMATIC Communication Services) used across multiple product linesMany product versions have no patch available (end-of-life products remain vulnerable)High CVSS (9.9) and moderate EPSS (0.7%) indicate significant severityAffects process control and batch systems with direct impact on plant operations
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (21)
11 with fix10 pending
ProductAffected VersionsFix Status
SIMATIC PCS 7 V8.2All versions8.2 SP1
SIMATIC PCS 7 V9.0All versions < V9.0 SP3 UC049.0 SP3 UC04
SIMATIC PCS 7 V9.1All versions < V9.1 SP19.1 SP1
SIMATIC WinCC V15 and earlierAll versions < V15 SP1 Update 715 SP1 Update 7
SIMATIC WinCC V16All versions < V16 Update 516 Update 5
Remediation & Mitigation
0/15
Do now
0/2HARDENINGRestrict user credentials and implement least-privilege access controls for operators and engineering staff accessing SIMATIC applications; disable unnecessary service accounts
HARDENINGImplement network segmentation and firewall rules to limit access to SIMATIC systems from untrusted networks; restrict access to engineering workstations and operator terminals
Schedule — requires maintenance window
0/12Patching may require device reboot — plan for process interruption
SIMATIC PCS 7 V8.2
HOTFIXUpdate SIMATIC PCS 7 V8.2 to SP1 (includes WinCC V7.4 SP1 Update 19 or later to remediate related vulnerabilities)
SIMATIC PCS 7 V9.0
HOTFIXUpdate SIMATIC PCS 7 V9.0 to SP3 UC04
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP1
SIMATIC WinCC V16
HOTFIXUpdate SIMATIC WinCC V16 to Update 5 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to Update 2 or later
SIMATIC WinCC V7.4
HOTFIXUpdate SIMATIC WinCC V7.4 to SP1 Update 19 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 5 or later
OpenPCS 7 V9.0
HOTFIXUpdate OpenPCS 7 V9.0 to Update 4
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software V16 to Update 6 or later
SIMATIC NET PC Software V17
HOTFIXUpdate SIMATIC NET PC Software V17 to SP1 or later
SIMATIC Route Control V8.2
WORKAROUNDFor products with no available fix (SIMATIC Route Control V8.2/V9.0/V9.1, OpenPCS 7 V8.2/V9.1, SIMATIC BATCH V8.2/V9.0/V9.1, SIMATIC NET PC Software V14/V15), prioritize patching related products on the same system to remediate the shared SCS component vulnerability; consider decommissioning end-of-life products
All products
HOTFIXUpdate SIMATIC WinCC V15 to SP1 Update 7 or later
Long-term hardening
0/1HARDENINGMonitor file system changes on systems running SIMATIC software, particularly changes to critical directories and configuration files
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/73fc854a-ca4e-44e2-a996-0dc52ae2fe79