Description
A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions <= V17 Update 4), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The affected component stores the credentials of a local system account in a potentially publicly accessible project file using an outdated cipher algorithm. An attacker may use this to brute force the credentials and take over the system.
Scores
CVSS v3
7.8
EPSS
0.0003
EPSS Percentile
7.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-312
CWE-538
Status
published
Products (10)
siemens/simatic_pcs_7
9.0
siemens/simatic_pcs_7
9.1
siemens/simatic_pcs_7
< 8.2
siemens/simatic_wincc
7.4 (21 CPE variants)
siemens/simatic_wincc
7.5 (10 CPE variants)
siemens/simatic_wincc
13 (3 CPE variants)
siemens/simatic_wincc
14.0.1
siemens/simatic_wincc
15
siemens/simatic_wincc
15.1 (7 CPE variants)
siemens/simatic_wincc
16 (4 CPE variants)
Published
Feb 09, 2022
Tracked Since
Feb 18, 2026