OTPulse
FeedAboutContact

Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products

Monitor6.3SSA-914168Feb 8, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

Multiple vulnerabilities in SIMATIC WinCC allow attackers with login credentials to retrieve and brute force password hashes, potentially gaining unauthorized access to other systems and data. The vulnerabilities affect multiple versions of WinCC (the human-machine interface and SCADA software used in Siemens automation systems) and related products including SIMATIC PCS 7. Affected versions include WinCC V7.4, V7.5, V15, V16, and V17, as well as PCS 7 V8.2, V9.0, and V9.1.

What this means
What could happen
An attacker with login credentials to WinCC could extract password hashes and use them to gain unauthorized access to operator workstations, engineering stations, and potentially other networked systems in your facility, compromising confidentiality of user credentials and system access.
Who's at risk
Water utilities, electric utilities, and any facility running Siemens SIMATIC WinCC or SIMATIC PCS 7 systems should review their version numbers. This affects HMI/SCADA systems used in water treatment, wastewater operations, power generation, and distribution control rooms. PCS 7 V8.2 has no patch available and should be prioritized for upgrade planning. All other affected versions have patches available.
How it could be exploited
An attacker must first obtain valid credentials for a WinCC system (through phishing, weak passwords, or credential reuse). Once logged in, they exploit the vulnerability to extract password hashes from the WinCC database. These hashes can be cracked offline to recover cleartext passwords, which can then be used to access other systems, engineering workstations, or the HMI interface itself to monitor or potentially modify process logic.
Prerequisites
  • Valid WinCC login credentials (operator, engineer, or administrator account)
  • Network or local access to the WinCC system
  • Access to the WinCC user database or authentication mechanism
Requires valid credentials (not unauthenticated)Password hash extraction enables offline crackingAffects critical infrastructure HMI/SCADA systemsPCS 7 V8.2 end-of-life with no patch availableComplexity: High (requires specific knowledge and credentials)CVSS score 6.3 indicates medium severity
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (9)
8 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.0All versions9.0 SP3 UpdateCollection04
SIMATIC PCS 7 V9.1< V9.1 SP19.1 SP1
SIMATIC WinCC V15 and earlier< V15 SP1 Update 715 SP1 Update 7
SIMATIC WinCC V16< V16 Update 516 Update 5
SIMATIC WinCC V17< V17 Update 217 Update 2
SIMATIC WinCC V17≥ V17 Update 2 < V17 Update 417 Update 4
SIMATIC WinCC V7.4< V7.4 SP1 Update 197.4 SP1 Update 19
SIMATIC WinCC V7.5< V7.5 SP2 Update 67.5 SP2 Update 6
Remediation & Mitigation
0/10
Do now
0/2
HARDENINGEnforce strong password policies for all WinCC accounts to increase difficulty of brute-force attacks on extracted password hashes
HARDENINGRestrict WinCC access to authorized personnel using role-based access controls and limit login attempts
Schedule — requires maintenance window
0/7

Patching may require device reboot — plan for process interruption

SIMATIC WinCC V16
HOTFIXUpdate SIMATIC WinCC V16 to version 16 Update 5 or later
SIMATIC WinCC V17
HOTFIXUpdate SIMATIC WinCC V17 to version 17 Update 4 or later
SIMATIC WinCC V7.4
HOTFIXUpdate SIMATIC WinCC V7.4 to version 7.4 SP1 Update 19 or later
SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to version 7.5 SP2 Update 6 or later
SIMATIC PCS 7 V9.0
HOTFIXUpdate SIMATIC PCS 7 V9.0 to version 9.0 SP3 UpdateCollection04 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to version 9.1 SP1 or later
All products
HOTFIXUpdate SIMATIC WinCC V15 to version 15 SP1 Update 7 or later
Mitigations - no patch available
0/1
SIMATIC PCS 7 V8.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor SIMATIC PCS 7 V8.2 (no patch available): Implement network segmentation and strict access controls to limit who can reach the PCS 7 system. Consider upgrading to a supported version as part of long-term maintenance planning.
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/095e6b4a-b8f1-4f46-92a9-3e17d8e29845