SSA-121293 (Last Update: 2019-08-13): Code Upload Vulnerability in SIMATIC WinCC and SIMATIC PCS 7

Published

2019-08-13 00:00:00 UTC

Summary

The latest update for SIMATIC WinCC fixes a vulnerability in the SIMATIC WinCC DataMonitor web application of the affected products that allows to upload arbitrary ASPX code.

An attacker has to be authenticated with a valid user account. The vulnerability is only relevant for scenarios where access via the web interface is feasible for an attacker while access to the directory structure is not.

Siemens has released updates for several affected products, and recommends that customers update to the new version. Siemens is preparing further updates and recommends specific countermeasures until patches are available.