CVE-2026-24349
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk0th percentile - higher than 0% of all known CVEs
Summary
A vulnerability in SIMATIC WinCC Unified PC Runtime (versions V16-V21 before V21 Update 2) is caused by insufficient protection of key material in the WinCC Certificate Manager. It allows an attacker to extract sensitive information.
Risk Assessment
The risk involves the possibility of an attacker extracting cryptographic keys, which could compromise the confidentiality of communication and the authenticity of the SCADA system.
Recommendation
It is recommended to immediately update to SIMATIC WinCC Unified PC Runtime V21 Update 2 or later. For older versions, restrict system access and monitor logs for unauthorized access attempts.
Original NVD description (English source)
A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.

