CVE-2026-24349

Vulnerability

A vulnerability exists in SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to V21 Update 2) due to insufficient protection of key material within the WinCC Certificate Manager. This flaw allows for the potential extraction of sensitive information.

Exploitation

An attacker with sufficient access to the affected system could potentially exploit this vulnerability by interacting with the WinCC Certificate Manager to extract sensitive key material. Further details on specific attacker prerequisites or exploitation steps are not disclosed in the available references.

Impact

Successful exploitation of this vulnerability could allow an attacker to extract sensitive information, specifically key material, from the WinCC Certificate Manager. The exact scope and privilege level of the compromise are not detailed in the available references.

Mitigation

Siemens has released an update for SIMATIC WinCC Unified PC Runtime V21, recommending an update to the latest version. For products where fixes are not yet available, Siemens recommends specific countermeasures. The affected versions include SIMATIC WinCC Unified PC Runtime V16, V17, V18, V19, V20, and V21 < V21 Update 2 [1].