CVE-2026-24349
Received Received - Intake
Denial of Service in SIMATIC WinCC Unified PC Runtime

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Siemens AG

Description
A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-24349
EUVD
EUVD-2026-35382
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
siemens simatic_wincc_unified_pc_runtime 16
siemens simatic_wincc_unified_pc_runtime 17
siemens simatic_wincc_unified_pc_runtime 18
siemens simatic_wincc_unified_pc_runtime 19
siemens simatic_wincc_unified_pc_runtime 20
siemens simatic_wincc_unified_pc_runtime to 21_update_2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-313 The product stores sensitive information in cleartext in a file, or on disk.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the WinCC Certificate Manager component of SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to Update 2). It involves insufficient protection of key material, which means that sensitive cryptographic keys are not adequately secured.

Because of this weakness, an attacker with local access could potentially extract sensitive information from the system.

Impact Analysis

The impact of this vulnerability is that an attacker could gain access to sensitive cryptographic key material stored in the WinCC Certificate Manager.

This could lead to unauthorized disclosure of sensitive information, potentially compromising the security of the affected system.

Since the vulnerability has a high severity score (CVSS v4.0 base score of 8.2), it represents a significant security risk if exploited.

Detection Guidance

There are no specific detection methods or commands provided in the available information to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, Siemens recommends updating SIMATIC WinCC Unified PC Runtime to version V21 Update 2 or later.

Additionally, restrict access to the affected systems to qualified personnel only.

Follow general security guidelines such as protecting network access and configuring the environment according to Siemens' operational guidelines for Industrial Security.

Compliance Impact

The vulnerability involves insufficient protection of key material in the WinCC Certificate Manager, which could allow an attacker to extract sensitive information. This exposure of sensitive information could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require adequate protection of sensitive data.

However, the provided information does not explicitly discuss the direct effects on compliance with specific standards or regulations, nor does it detail any regulatory implications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart