{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)", "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "summary", "text": "WinCC Certificate Manager insufficiently protects key material that could allow an attacker to extract sensitive information.\n\nSiemens has released a new version for SIMATIC WinCC Unified PC Runtime V21 and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.", "title": "Summary" }, { "category": "general", "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "title": "General Recommendations" }, { "category": "general", "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "productcert@siemens.com", "name": "Siemens ProductCERT", "namespace": "https://www.siemens.com" }, "references": [ { "category": "self", "summary": "SSA-063511: Insufficient protection of key material in WinCC Certificate Manager - HTML Version", "url": "https://cert-portal.siemens.com/productcert/html/ssa-063511.html" }, { "category": "self", "summary": "SSA-063511: Insufficient protection of key material in WinCC Certificate Manager - CSAF Version", "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-063511.json" } ], "title": "SSA-063511: Insufficient protection of key material in WinCC Certificate Manager", "tracking": { "current_release_date": "2026-06-09T00:00:00.000Z", "generator": { "engine": { "name": "Siemens ProductCERT CSAF Generator", "version": "1" } }, "id": "SSA-063511", "initial_release_date": "2026-06-09T00:00:00.000Z", "revision_history": [ { "date": "2026-06-09T00:00:00.000Z", "legacy_version": "1.0", "number": "1", "summary": "Publication Date" } ], "status": "interim", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:all/*", "product": { "name": "SIMATIC WinCC Unified PC Runtime V16", "product_id": "1" } } ], "category": "product_name", "name": "SIMATIC WinCC Unified PC Runtime V16" }, { "branches": [ { "category": "product_version_range", "name": "vers:all/*", "product": { "name": "SIMATIC WinCC Unified PC Runtime V17", "product_id": "2" } } ], "category": "product_name", "name": "SIMATIC WinCC Unified PC Runtime V17" }, { "branches": [ { "category": "product_version_range", "name": "vers:all/*", "product": { "name": "SIMATIC WinCC Unified PC Runtime V18", "product_id": "3" } } ], "category": "product_name", "name": "SIMATIC WinCC Unified PC Runtime V18" }, { "branches": [ { "category": "product_version_range", "name": "vers:all/*", "product": { "name": "SIMATIC WinCC Unified PC Runtime V19", "product_id": "4" } } ], "category": "product_name", "name": "SIMATIC WinCC Unified PC Runtime V19" }, { "branches": [ { "category": "product_version_range", "name": "vers:all/*", "product": { "name": "SIMATIC WinCC Unified PC Runtime V20", "product_id": "5" } } ], "category": "product_name", "name": "SIMATIC WinCC Unified PC Runtime V20" }, { "branches": [ { "category": "product_version_range", "name": "vers:intdot/<21.0.2", "product": { "name": "SIMATIC WinCC Unified PC Runtime V21", "product_id": "6" } } ], "category": "product_name", "name": "SIMATIC WinCC Unified PC Runtime V21" } ], "category": "vendor", "name": "Siemens" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-24349", "cwe": { "id": "CWE-313", "name": "Cleartext Storage in a File or on Disk" }, "notes": [ { "category": "summary", "text": "Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.", "title": "Summary" } ], "product_status": { "known_affected": [ "1", "2", "3", "4", "5", "6" ] }, "remediations": [ { "category": "mitigation", "details": "The affected product may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with the affected product.", "product_ids": [ "1", "2", "3", "4", "5", "6" ] }, { "category": "no_fix_planned", "details": "Currently no fix is planned", "product_ids": [ "1", "2", "3", "4", "5" ] }, { "category": "vendor_fix", "details": "Update to V21 Update 2 or later version", "product_ids": [ "6" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109991140/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "1", "2", "3", "4", "5", "6" ] } ], "title": "CVE-2026-24349" } ] }