Siemens WinCC Certificate Manager Insufficient Protection of Key Material (CVE-2026-24349)

Siemens Security Advisory: Insufficient protection of key material in WinCC Certificate Manager Vulnerability Overview Vulnerability ID: SSA-063511 Release Date: 2026-06-09 Last Updated: 2026-06-09 Current Version: V1.0 CVSS v3.1 Base Score: 7.1 CVSS v4.0 Base Score: 8.2 Vulnerability Description: The WinCC Certificate Manager fails to adequately protect key material, potentially allowing attackers to extract sensitive information. Affected Products Affected Products: Totally Integrated Automation Portal (TIA Portal) Specific Versions: Not explicitly listed; refer to the "Known Affected Products" section for detailed information. Remediation Recommended Actions: Siemens has released a new version of SIMATIC WinCC Unified PC Runtime V21. It is recommended to update to the latest version. Temporary Mitigations: - Operate the affected products only by qualified personnel, adhering to the warnings and instructions in the relevant documentation. - Qualified personnel should possess the necessary training and experience to identify risks and avoid potential hazards. - Follow Siemens' general security recommendations, such as securing network access and configuring the environment appropriately. Vulnerability Details CVE ID: CVE-2026-24349 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/N/A:N CVSS v4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/NV:H/NA:N/SC:H/NI:N/A:N CWE ID: CWE-313: Cleartext Storage in a File or on Disk Additional Information Contact Information: For further inquiries regarding security vulnerabilities, please contact Siemens ProductCERT. History: V1.0 (2026-06-09): Release date Terms of Use The use of Siemens security advisories is subject to the terms and conditions listed on the Siemens website.

Goal Reached Thanks to every supporter — we hit 100%!

Siemens WinCC Certificate Manager Insufficient Protection of Key Material (CVE-2026-24349)