A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd 11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC Professional (TIA Portal V13) (All versions), SIMATIC WinCC Professional (TIA Portal V14) (All versions < V14 SP1 Upd 9), SIMATIC WinCC Professional (TIA Portal V15) (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). The SIMATIC WinCC DataMonitor web application of the affected products allows to upload arbitrary ASPX code. The security vulnerability could be exploited by an authenticated attacker with network access to the WinCC DataMonitor application. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device. At the stage of publishing this security advisory no public exploitation is known.
This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.2, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 3 products from siemens, from siemens, from siemens organizations running these solutions should prioritize assessment and patching.
First disclosed in 2019, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.
2019-07-11T22:15:11.797
2024-11-21T04:20:11.120
Modified
CVSSv3.0: 7.2 (HIGH)
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.0
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | siemens | simatic_pcs_7 | 8.0 | Yes |
| Application | siemens | simatic_pcs_7 | 8.1 | Yes |
| Application | siemens | simatic_pcs_7 | 8.2 | Yes |
| Application | siemens | simatic_pcs_7 | 9.0 | Yes |
| Application | siemens | simatic_wincc | ≤ 7.2 | Yes |
| Application | siemens | simatic_wincc | 7.3 | Yes |
| Application | siemens | simatic_wincc | 7.3 | Yes |
| Application | siemens | simatic_wincc | 7.3 | Yes |
| Application | siemens | simatic_wincc | 7.3 | Yes |
| Application | siemens | simatic_wincc | 7.3 | Yes |
| Application | siemens | simatic_wincc | 7.3 | Yes |
| Application | siemens | simatic_wincc | 7.4 | Yes |
| Application | siemens | simatic_wincc | 7.4 | Yes |
| Application | siemens | simatic_wincc | 7.4 | Yes |
| Application | siemens | simatic_wincc | 7.5 | Yes |
| Application | siemens | simatic_wincc | 13 | Yes |
| Application | siemens | simatic_wincc | 13 | Yes |
| Application | siemens | simatic_wincc | 14 | Yes |
| Application | siemens | simatic_wincc | 14 | Yes |
| Application | siemens | simatic_wincc | 14 | Yes |
| Application | siemens | simatic_wincc | 15 | Yes |
| Application | siemens | simatic_wincc_runtime | 13 | Yes |
| Application | siemens | simatic_wincc_runtime | 13 | Yes |
| Application | siemens | simatic_wincc_runtime | 13 | Yes |
| Application | siemens | simatic_wincc_runtime | 13 | Yes |
| Application | siemens | simatic_wincc_runtime | 13 | Yes |
| Application | siemens | simatic_wincc_runtime | 14 | Yes |
| Application | siemens | simatic_wincc_runtime | 14 | Yes |
| Application | siemens | simatic_wincc_runtime | 15 | Yes |
| Application | siemens | simatic_wincc_runtime | 15 | Yes |
| Application | siemens | simatic_wincc_runtime | 15.1 | Yes |
| Application | siemens | simatic_wincc_runtime | 15.1 | Yes |
SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For siemens's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.