Full Report
The products listed below contain a remote code execution vulnerability that could allow an authenticated remote attacker to execute arbitrary code with high privileges. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Remote Code Execution in SIMATIC SCADA and PCS 7 Systems
## CVE Details
- **CVE ID:** CVE-2024-35783
- **CVSS Score:** 9.1 (Critical) [v3.1] / 9.4 (Critical) [v4.0]
- **CWE:** CWE-250: Execution with Unnecessary Privileges
## Affected Systems
- **Products & Versions:**
- **SIMATIC BATCH V9.1:** All versions
- **SIMATIC Information Server 2020:** < V2020 SP2 Update 5
- **SIMATIC Information Server 2022:** < V2022 SP1 Update 2
- **SIMATIC PCS 7 V9.1:** < V9.1 SP2 UC06
- **SIMATIC Process Historian 2020:** < V2020 SP2 Update 5
- **SIMATIC Process Historian 2022:** < V2022 SP1 Update 2
- **SIMATIC WinCC Runtime Professional V18:** < V18 Update 5
- **SIMATIC WinCC Runtime Professional V19:** < V19 Update 3
- **SIMATIC WinCC V7.4:** All versions
- **SIMATIC WinCC V7.5:** < V7.5 SP2 Update 18
- **Configurations:** Systems where the database server components are running with elevated OS privileges.
## Vulnerability Description
The affected products run their database (DB) server components with unnecessarily high privileges. An authenticated remote attacker can leverage these elevated permissions to bypass security boundaries and execute arbitrary operating system commands with administrative/high privileges.
## Exploitation
- **Status:** Proof of Concept (PoC) available (based on CVSS-E:P identifier).
- **Complexity:** Low
- **Attack Vector:** Network
- **Authentication:** Required (High privileges/Authenticated attacker).
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system files and configurations)
- **Availability:** High (Potential for total system disruption)
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **PCS 7 V9.1 / BATCH V9.1:** Update to V9.1 SP2 UC06.
- **Information Server/Process Historian 2020:** Update to V2020 SP2 Update 5.
- **Information Server/Process Historian 2022:** Update to version bundled with PCS neo V5.0 Update 1.
- **WinCC Runtime Professional V18:** Update to V18 Update 5.
- **WinCC Runtime Professional V19:** Update to V19 Update 3.
- **WinCC V7.5:** Update to V7.5 SP2 Update 18.
### Workarounds
- **SIMATIC WinCC V7.4:** No fix is currently planned; users should implement general security hardening.
- **General Mitigation:**
- Ensure the principle of least privilege is applied to all service accounts.
- Restrict network access to the database and SCADA server components to trusted IP addresses only.
## Detection
- **Indicators of Compromise:** Monitor for unexpected child processes spawned by database server executables (e.g., `sqlservr.exe` spawning `cmd.exe` or `powershell.exe`).
- **Detection methods:** Audit OS-level administrative logs for unauthorized command execution originating from service accounts associated with SIMATIC products.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-629254.html
- **Support Links:**
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109812242/
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109977244/