Description
A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.
Published: 2026-06-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is insufficient protection of key material in the WinCC Certificate Manager, a component of Siemens SIMATIC WinCC Unified PC Runtime. Classified as CWE‑313, it allows an attacker to retrieve sensitive information such as cryptographic keys, which could be used to decrypt data or hijack control system communications.

Affected Systems

Siemens SIMATIC WinCC Unified PC Runtime versions V16 through V20, and V21 prior to Update 2, are affected. These runtimes are widely used in industrial control systems, making the issue relevant to critical infrastructure operators.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalogue, though that does not diminish the risk of exploitation. The attack vector is not explicitly stated, but it is inferred that an attacker with local or network access could leverage the weak protection to read the stored keys. Operators should treat this as a significant threat, especially if the runtime is exposed to untrusted networks.

Generated by OpenCVE AI on June 9, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy Siemens’s security patch or upgrade to the latest available version (for example, V21 Update 2 or newer) to remove the insecure key storage issue.
  • If a patch is not yet available, restrict access to the WinCC Certificate Manager by applying strict ACLs and disabling the component on systems that do not require certificate management.
  • Enable or enforce encryption of key material at rest if the software supports it, or migrate critical keys to an external secure key management system.
  • Monitor system logs for unauthorized read attempts on key files and enforce mandatory security training for operators managing the runtime.

Generated by OpenCVE AI on June 9, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens simatic Wincc Unified Pc Runtime
Vendors & Products Siemens
Siemens simatic Wincc Unified Pc Runtime

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Title Insecure Storage of Key Material in SIMATIC WinCC Unified PC Runtime

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.
Weaknesses CWE-313
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Siemens Simatic Wincc Unified Pc Runtime
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-06-09T12:54:20.058Z

Reserved: 2026-01-22T13:21:49.113Z

Link: CVE-2026-24349

cve-icon Vulnrichment

Updated: 2026-06-09T12:54:14.543Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T10:16:42.967

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-24349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:21:07Z

Weaknesses