HIGH 7.1

CVE-2026-24349: SIMATIC WinCC Unified PC Runtime Certificate Manager Key Extraction Vulnerability

A vulnerability in Siemens SIMATIC WinCC Unified PC Runtime allows an attacker with local access to extract sensitive cryptographic material from the Certificate Manager component. The issue stems from inadequate protection of key material stored on disk or in memory, potentially exposing certificates and private keys that protect SCADA/HMI communications. While exploitation requires local system access, the impact is significant because certificate compromise can enable downstream attacks on industrial control systems and their communications.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-313
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-26

NVD description (verbatim)

A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-24349 is a CWE-313 (Cleartext Storage of Sensitive Information) vulnerability affecting WinCC Unified PC Runtime across versions 16–21 (prior to V21 Update 2). The WinCC Certificate Manager insufficiently protects cryptographic key material, allowing local attackers to read sensitive data that should be encrypted or access-restricted. The CVSS 3.1 score of 7.1 (HIGH) reflects a low attack complexity with local access required, no user interaction, and significant confidentiality impact with cross-system scope. Exploitation does not require elevated privileges, making the barrier to entry relatively low for any local user.

Business impact

Compromise of WinCC certificates and keys undermines the integrity and authenticity of HMI-to-controller communications in production environments. Attackers obtaining these credentials can impersonate legitimate systems, intercept or modify process data, or gain unauthorized access to downstream SCADA infrastructure. For organizations running critical manufacturing, utilities, or process control operations on WinCC, this represents a direct threat to operational continuity, product quality, and potentially worker safety. Unpatched systems are vulnerable to insider threats or attackers who gain initial local access through other means.

Affected systems

All versions of SIMATIC WinCC Unified PC Runtime V16, V17, V18, V19, and V20 are vulnerable without exception. V21 versions prior to Update 2 are also affected. Any deployment of these runtime versions on Windows-based HMI or supervisory systems is at risk. Organizations should inventory all WinCC Unified PC Runtime instances across their OT and hybrid networks to identify exposure.

Exploitability

Exploitation is feasible for attackers with local system access—no network interaction, elevated privileges, or user action required. This makes the vulnerability accessible to disgruntled employees, contractors, or external attackers who achieve initial system compromise (e.g., via phishing or unpatched desktop vulnerabilities). The straightforward nature of reading unprotected key material from disk or memory suggests exploit development is within reach of moderately skilled threat actors. However, the local-access requirement does somewhat limit the exposure surface compared to remote vulnerabilities.

Remediation

Organizations must upgrade affected WinCC Unified PC Runtime instances to patched versions. For V21 systems, upgrade to V21 Update 2 or later. Earlier versions (V16–V20) require verification against Siemens' official security advisory to confirm whether patches are available and which versions are recommended. Pending patch availability or deployment, apply defense-in-depth: restrict local system access via endpoint security controls, monitor certificate stores for unauthorized access, and consider isolating affected HMI systems on protected network segments with strong access controls.

Patch guidance

Siemens has released or will release patches through their official advisory channels. V21 users should prioritize upgrading to V21 Update 2 or later. Organizations running V16–V20 must consult the Siemens security advisory to determine patch availability and timelines. Test patches in a non-production environment first, as WinCC runtime updates can affect HMI functionality and historian integrations. Coordinate patching with production schedules to minimize downtime in critical control systems.

Detection guidance

Monitor WinCC systems for direct file access or memory read operations targeting certificate storage locations (typically under ProgramFiles\Siemens\WinCC Unified or registry hives containing key material). Endpoint Detection and Response (EDR) tools should flag unusual process access to sensitive credential stores. Enable file integrity monitoring on WinCC installation directories to detect unauthorized modifications. Review access logs for the WinCC Certificate Manager or key storage facilities. Network-level detection is limited due to the local nature of the attack, so host-based monitoring is essential.

Why prioritize this

This vulnerability merits HIGH priority due to its impact on cryptographic material protecting critical infrastructure communications, combined with low attack complexity and no privilege escalation requirement. While local access is necessary, the abundance of pathways to local compromise (supply chain software, USB vectors, insider access) and the sensitivity of HMI environments make this a realistic threat. Organizations operating production environments should treat this as urgent, particularly if they have confirmed WinCC deployments in security-sensitive roles.

Risk score, explained

The CVSS 3.1 score of 7.1 reflects a high-confidentiality, low-complexity local attack vector affecting sensitive industrial systems. The 'cross-system scope' rating acknowledges that compromised certificates can be leveraged against dependent systems beyond the compromised host. This score appropriately captures the risk to operational technology environments where certificate trust is fundamental. The lack of availability or integrity impact in the base score is offset by the downstream consequences of key compromise.

Frequently asked questions

Do we need network access to exploit this vulnerability?

No. The vulnerability requires only local file or memory access to the compromised WinCC system. An attacker does not need to interact with the system over the network to extract cryptographic material. This makes it particularly dangerous in environments where physical or insider access is a concern.

What happens if our WinCC certificates are stolen?

Stolen certificates allow attackers to impersonate legitimate HMI or controller systems, potentially enabling man-in-the-middle attacks, unauthorized command injection, or data exfiltration. Depending on certificate scope and trust relationships, compromise could extend to connected SCADA devices, engineering workstations, and other infrastructure trusting those certificates.

Is there a workaround if we cannot patch immediately?

Complete workarounds are limited. Interim controls include: strictly limit local system access via privileged account management and EDR/Host-based Intrusion Prevention; isolate affected WinCC systems on dedicated network segments; encrypt WinCC installation drives and enforce file-level access controls; and monitor certificate stores for suspicious access. These reduce risk but do not eliminate the underlying vulnerability.

Does Siemens CISA KEV listing matter for our decision?

This vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) list, meaning active exploitation in the wild has not been formally documented at the time of publication. However, KEV status can change, and the absence of a KEV listing does not diminish the urgency of patching, especially in OT environments where certificate compromise has severe consequences.

This analysis is based on information available as of the publication date and does not constitute professional security advice for any specific organization. Readers must verify all patch version numbers, availability dates, and applicability statements directly against Siemens' official security advisories and product documentation before taking remediation action. Attack surface, risk, and exploitability may vary based on network architecture, access controls, and deployment context. Organizations should engage qualified security and OT personnel to assess their specific exposure and implement appropriate controls. This content is provided for informational purposes only and carries no warranty of accuracy or completeness with respect to future changes in vulnerability status or vendor guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).