Full Report
The installers used to install several Siemens products are affected by a DLL hijacking vulnerability. This could allow an attacker to execute arbitrary code when a legitimate user installs an application that uses the affected installer component. This vulnerability poses a risk only during setup and installation phase of the affected applications downloaded e.g. via OSD (Online Software Delivery). Siemens has released new versions for several affected products and recommends using the latest versions during setup and installation. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: DLL Hijacking in Siemens Web Installer
## CVE Details
- **CVE ID:** CVE-2025-30033
- **CVSS Score:** 7.8 (v3.1) / 8.5 (v4.0) (High)
- **CWE:** CWE-427: Uncontrolled Search Path Element (DLL Hijacking)
## Affected Systems
- **Products:** Multiple Siemens industrial software products using the Web Installer component, including:
- **Automation License Manager:** V6.0 (All), V6.2 (< V6.2 Upd3)
- **SIMATIC PCS 7:** V9.1 (All), V10.0 (All)
- **TIA Portal:** V17, V18, V19, V20 (various sub-components)
- **SIMATIC WinCC:** Runtime Advanced, Runtime Professional, Visualization Architect
- **Others:** Create MyConfig (CMC), MultiFieldbus Configuration Tool (MFCT), SIMATIC PDM, SIMATIC Logon, and various library packages (CFL, EnSL).
- **Versions:** Specific versions updated through February 2026.
- **Configurations:** Vulnerability is triggered specifically during the **setup and installation phase**, particularly for applications downloaded via Online Software Delivery (OSD).
## Vulnerability Description
The installer component used by various Siemens products fails to properly validate or restrict the path from which it loads dynamic link libraries (DLLs). By placing a malicious DLL file in the same directory as the installer executable (e.g., the Downloads folder), an attacker can trick the installer into executing arbitrary code with the privileges of the user running the setup.
## Exploitation
- **Status:** PoC available (Shared by researcher Sahil Shah; no mention of active exploitation in the wild in the advisory).
- **Complexity:** Medium (Requires enticing a user to place the installer in a contaminated directory).
- **Attack Vector:** Local (Attacker must be able to place a file on the local file system prior to installation).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Total:** Full system compromise is possible under the context of the user performing the installation.
## Remediation
### Patches
Siemens has released updates for several products. Key fixes include:
- **Automation License Manager V6.2:** Update to V6.2 Upd3 or later.
- **Create MyConfig (CMC):** Update to V6.9 or later.
- **MFCT:** Update to V1.5.5.0 or later.
- **SIMATIC PCS 7 / SIMATIC Logon / SIMATIC PDM:** Refer to specific updated versions in the vendor advisory.
*Note: For several legacy versions (e.g., SIMATIC ProSave V17, TIA Project-Server V17), **no fix is planned**. Users should migrate to supported versions.*
### Workarounds
- **Strict Directory Isolation:** Only run installers from a clean, dedicated directory containing **only** the installer executable.
- **Download Integrity:** Ensure installers are downloaded via secure channels and verified.
- **Principal of Least Privilege:** Avoid running installers from common "Downloads" folders where other untrusted files may reside.
## Detection
- **Indicators of Compromise:** Presence of unexpected DLL files in temporary installation directories or the source folder of the Siemens installer.
- **Detection methods:** Monitor for unusual child processes spawned by Siemens setup executables. Use File Integrity Monitoring (FIM) or EDR tools to detect unauthorized DLL side-loading.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-282044[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories