Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (siemens) · only source for this CVE.
CVSS VectorVendor: siemens
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.
AnalysisAI
Sensitive key material extraction is possible in Siemens SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to V21 Update 2) due to insufficient protection in the WinCC Certificate Manager component. A local attacker on an affected HMI/SCADA workstation could harvest cryptographic key material that protects operator certificates, potentially enabling impersonation or downstream attacks against industrial control networks. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
SIMATIC WinCC Unified is Siemens' next-generation HMI/SCADA runtime widely deployed on Windows-based engineering and operator workstations in OT environments. The WinCC Certificate Manager handles PKI material used to authenticate runtime components, projects, and communications between HMIs, PLCs, and supervisory systems. CWE-313 (Cleartext Storage in a File or on Disk) indicates the certificate manager stores or exposes key material without adequate filesystem-level cryptographic protection (e.g., not using DPAPI binding, weak ACLs, or plaintext on disk), so any process or user able to read that location obtains usable secrets.
RemediationAI
Vendor-released patch: SIMATIC WinCC Unified PC Runtime V21 Update 2 - upgrade affected systems to that release per Siemens advisory SSA-063511 (https://cert-portal.siemens.com/productcert/html/ssa-063511.html). For V16-V20 where no equivalent patched build is indicated in the advisory, migrate to V21 Update 2 or apply Siemens' general ICS hardening guidance: restrict interactive and remote logon to WinCC Runtime hosts to a minimal operator/engineer set, tighten NTFS ACLs and enable BitLocker on workstations hosting the Certificate Manager to deny offline key extraction, segment the OT network so stolen certificates cannot reach broader systems, and plan certificate rotation after upgrade since previously exposed key material must be considered compromised. Note that BitLocker and ACL hardening do not stop a local administrator from reading keys at runtime, and certificate rotation will require coordinated downtime of dependent HMIs and PLCs.
Same weakness CWE-313 – Cleartext Storage in a File or on Disk
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35382
GHSA-vxrh-p77g-j346