CVE-2026-24349

Analyzed Analyzed - Analysis Complete

Denial of Service in SIMATIC WinCC Unified PC Runtime

Publication date: 2026-06-09

Last updated on: 2026-06-26

Assigner: Siemens AG

Description

A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-26

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-24349

EUVD

EUVD-2026-35382

Affected Vendors & Products

Vendor	Product	Version / Range
siemens	simatic_wincc_unified_pc_runtime	From 16 (inc) to 20 (inc)
siemens	simatic_wincc_unified_pc_runtime	21
siemens	simatic_wincc_unified_pc_runtime	21

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-313	The product stores sensitive information in cleartext in a file, or on disk.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the WinCC Certificate Manager component of SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to Update 2). It involves insufficient protection of key material, which means that sensitive cryptographic keys are not adequately secured.

Because of this weakness, an attacker with local access could potentially extract sensitive information from the system.

Impact Analysis

The impact of this vulnerability is that an attacker could gain access to sensitive cryptographic key material stored in the WinCC Certificate Manager.

This could lead to unauthorized disclosure of sensitive information, potentially compromising the security of the affected system.

Since the vulnerability has a high severity score (CVSS v4.0 base score of 8.2), it represents a significant security risk if exploited.

Detection Guidance

There are no specific detection methods or commands provided in the available information to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, Siemens recommends updating SIMATIC WinCC Unified PC Runtime to version V21 Update 2 or later.

Additionally, restrict access to the affected systems to qualified personnel only.

Follow general security guidelines such as protecting network access and configuring the environment according to Siemens' operational guidelines for Industrial Security.

Compliance Impact

The vulnerability involves insufficient protection of key material in the WinCC Certificate Manager, which could allow an attacker to extract sensitive information. This exposure of sensitive information could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require adequate protection of sensitive data.

However, the provided information does not explicitly discuss the direct effects on compliance with specific standards or regulations, nor does it detail any regulatory implications.

Hi! I’m here to help you understand CVE-2026-24349. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70