SSA-063511
Vulnerability from csaf_siemens - Published: 2026-06-09 00:00 - Updated: 2026-06-09 00:00Summary
SSA-063511: Insufficient protection of key material in WinCC Certificate Manager
Notes
Summary: WinCC Certificate Manager insufficiently protects key material that could allow an attacker to extract sensitive information.
Siemens has released a new version for SIMATIC WinCC Unified PC Runtime V21 and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
7.1 (High)
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC WinCC Unified PC Runtime V16
Siemens / SIMATIC WinCC Unified PC Runtime V16
|
vers:all/* |
Mitigation
No Fix Planned
|
|
|
SIMATIC WinCC Unified PC Runtime V17
Siemens / SIMATIC WinCC Unified PC Runtime V17
|
vers:all/* |
Mitigation
No Fix Planned
|
|
|
SIMATIC WinCC Unified PC Runtime V18
Siemens / SIMATIC WinCC Unified PC Runtime V18
|
vers:all/* |
Mitigation
No Fix Planned
|
|
|
SIMATIC WinCC Unified PC Runtime V19
Siemens / SIMATIC WinCC Unified PC Runtime V19
|
vers:all/* |
Mitigation
No Fix Planned
|
|
|
SIMATIC WinCC Unified PC Runtime V20
Siemens / SIMATIC WinCC Unified PC Runtime V20
|
vers:all/* |
Mitigation
No Fix Planned
|
|
|
SIMATIC WinCC Unified PC Runtime V21
Siemens / SIMATIC WinCC Unified PC Runtime V21
|
vers:intdot/<21.0.2 |
Mitigation
Vendor Fix
fix
|
References
2 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "WinCC Certificate Manager insufficiently protects key material that could allow an attacker to extract sensitive information.\n\nSiemens has released a new version for SIMATIC WinCC Unified PC Runtime V21 and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-063511: Insufficient protection of key material in WinCC Certificate Manager - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-063511.html"
},
{
"category": "self",
"summary": "SSA-063511: Insufficient protection of key material in WinCC Certificate Manager - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-063511.json"
}
],
"title": "SSA-063511: Insufficient protection of key material in WinCC Certificate Manager",
"tracking": {
"current_release_date": "2026-06-09T00:00:00.000Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-063511",
"initial_release_date": "2026-06-09T00:00:00.000Z",
"revision_history": [
{
"date": "2026-06-09T00:00:00.000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SIMATIC WinCC Unified PC Runtime V16",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "SIMATIC WinCC Unified PC Runtime V16"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SIMATIC WinCC Unified PC Runtime V17",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "SIMATIC WinCC Unified PC Runtime V17"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SIMATIC WinCC Unified PC Runtime V18",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "SIMATIC WinCC Unified PC Runtime V18"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SIMATIC WinCC Unified PC Runtime V19",
"product_id": "4"
}
}
],
"category": "product_name",
"name": "SIMATIC WinCC Unified PC Runtime V19"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SIMATIC WinCC Unified PC Runtime V20",
"product_id": "5"
}
}
],
"category": "product_name",
"name": "SIMATIC WinCC Unified PC Runtime V20"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c21.0.2",
"product": {
"name": "SIMATIC WinCC Unified PC Runtime V21",
"product_id": "6"
}
}
],
"category": "product_name",
"name": "SIMATIC WinCC Unified PC Runtime V21"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-24349",
"cwe": {
"id": "CWE-313",
"name": "Cleartext Storage in a File or on Disk"
},
"notes": [
{
"category": "summary",
"text": "Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The affected product may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with the affected product.",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6"
]
},
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "vendor_fix",
"details": "Update to V21 Update 2 or later version",
"product_ids": [
"6"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109991140/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6"
]
}
],
"title": "CVE-2026-24349"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…