Siemens WinCC Certificate Manager Vulnerability Exposes Sensitive Data to Local Attackers
CISA disclosed a high-severity vulnerability in Siemens WinCC Certificate Manager that could allow local attackers to extract sensitive key material from industrial systems.
CISA and Siemens have disclosed CVE-2026-24349, a high-severity vulnerability in the Siemens WinCC Certificate Manager that could allow an attacker with local access to extract sensitive information. The flaw, rated 7.1 on the CVSS v3 scale, stems from insufficient protection of key material stored in a file or on disk (CWE-313). The advisory, published as ICSA-26-174-01, warns that the vulnerability affects a broad range of SIMATIC WinCC Unified PC Runtime versions, from V16 through V21, which are widely deployed across critical infrastructure sectors including energy, healthcare, transportation, and financial services worldwide.
The vulnerability resides in the WinCC Certificate Manager component, which is responsible for handling cryptographic keys used to secure communications and authenticate devices in industrial environments. Because the key material is not adequately protected, an attacker who gains local access to a system—either through physical presence or by compromising a user account—could extract sensitive credentials or certificates. This could enable further lateral movement within an industrial network, potentially leading to disruption of control systems or data exfiltration.
Siemens has released a fix for the latest affected branch: SIMATIC WinCC Unified PC Runtime V21 Update 2. Users running V21 are urged to update to version 21.0.2 or later immediately. For older versions (V16 through V20), Siemens has stated that no fix is currently planned. The company recommends that organizations operating these older versions restrict physical and logical access to the devices to qualified personnel only, in accordance with Siemens' operational guidelines for Industrial Security.
The advisory also notes that the vulnerability was reported to Siemens ProductCERT, which coordinated with CISA for disclosure. While there is no evidence of active exploitation in the wild at the time of publication, the high CVSS score and the sensitive nature of the exposed data make this a priority for patching. CISA has recommended that organizations minimize network exposure for affected control system devices, isolate them behind firewalls, and use VPNs for remote access where necessary.
This disclosure adds to a growing list of Siemens industrial product vulnerabilities addressed in recent months. Earlier in June 2026, CISA warned of a critical OpenSSL buffer overflow affecting dozens of Siemens products, including SCALANCE routers and AI servers. The repeated findings highlight the challenge of securing legacy and long-lifecycle industrial equipment, where patches for older versions are often unavailable, leaving operators reliant on compensatory controls.
Organizations using SIMATIC WinCC Unified PC Runtime should prioritize updating to V21 Update 2 where possible. For those unable to upgrade, strict access controls and network segmentation are essential to mitigate the risk of local exploitation. Siemens has provided detailed guidance on its support portal, and CISA encourages all affected entities to review the full advisory and implement recommended defensive measures.