CVE Catalog

CVE-2026-24349

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.06%

0th percentile - higher than 0% of all known CVEs

Summary

A vulnerability in SIMATIC WinCC Unified PC Runtime (versions V16-V21 before V21 Update 2) is caused by insufficient protection of key material in the WinCC Certificate Manager. It allows an attacker to extract sensitive information.

Risk Assessment

The risk involves the possibility of an attacker extracting cryptographic keys, which could compromise the confidentiality of communication and the authenticity of the SCADA system.

Recommendation

It is recommended to immediately update to SIMATIC WinCC Unified PC Runtime V21 Update 2 or later. For older versions, restrict system access and monitor logs for unauthorized access attempts.

Original NVD description (English source)

A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS