CVE-2026-24349: A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runt

Synopsis

An insufficient key-material protection vulnerability exists in the WinCC Certificate Manager component of Siemens SIMATIC WinCC Unified PC Runtime (versions V16 through V21 prior to V21 Update 2). The flaw is reached locally with no authentication required, meaning an attacker who already has a shell or process on the host can exploit it without any credentials. Successful exploitation allows the attacker to extract sensitive cryptographic key material and certificate data from the system. A patched-image rebuild at V21 Update 2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityNot required

  The attacker needs an existing shell or process on the host; no network access to the service is required.

• AuthenticationNot required

  No credentials of any privilege level are needed to trigger the vulnerability.

• Victim interactionNot required

  Exploitation is entirely attacker-driven and does not require any action from a user or operator on the target system.

• Attack complexityDetail

  Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

• Reads cryptographic key material stored by the WinCC Certificate Manager, including private keys associated with issued certificates.
• Reads sensitive certificate data scoped to the local system, which can expose trust relationships within the OT or ICS network segment.
• Extracted key material can be used outside this host to impersonate the affected system or decrypt traffic protected by those certificates.