Siemens left certificate private keys sitting on disk in the clear across six major versions of its WinCC Unified PC Runtime, and only the newest release gets a patch.
CVE-2026-24349: Keys Stored on Disk, No Encryption Needed
CVE-2026-24349 carries a CVSS 3.1 score of 7.1 (HIGH). The root cause is CWE-313: Cleartext Storage in a File or on Disk. An attacker with local access to the machine can extract the certificate key material. They don't need credentials - the vector string AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N confirms no privileges required and confidentiality impact is high.
Affected installations cover every version of SIMATIC WinCC Unified PC Runtime from V16 through V21. That's a half-decade of products storing keys in the open. The vulnerability is in the WinCC Certificate Manager component, which handles certificate lifecycle for HMI and SCADA systems.
The Fix (and the Gap)
Siemens released a fix: update to V21 Update 2 or later. One link: https://support.industry.siemens.com/cs/ww/en/view/109991140/. But for V16 through V20, there is no fix planned. Not "not yet available" - no fix. The advisory states "Currently no fix is planned" for those versions.
If you're running an older WinCC Unified PC Runtime, you are stuck with a local privilege escalation vector that dumps certificate material. Your only recourse is operational containment: restrict physical and network access, enforce strict personnel qualifications, and firewall the hell out of the system.
What This Means for ICS Operators
Critical Manufacturing, Energy, Transportation, Healthcare, Financial Services, Government - all listed as deployed sectors worldwide. A local attacker who compromises a single engineering workstation or runtime node can grab certificate keys. Those keys could then be used to impersonate the device, decrypt traffic, or sign malicious payloads.
Siemens general recommendations include "protect network access with appropriate mechanisms" and follow their Industrial Security guidelines. That's boilerplate but relevant. CISA adds the usual: minimize network exposure, use VPNs, perform impact analysis.
No exploit code is published yet, but the vulnerability is trivial to understand. I'd treat this as a high-priority remediation for V21 systems and a serious risk assessment trigger for any older installation that can't be upgraded.
The next time you see a certificate store pop up in a security scan, remember: Siemens just proved that even industrial control vendors can fail the basic test of encrypting key material at rest.
Source: Siemens WinCC Certificate Manager
Domain: cisa.gov
Comments load interactively on the live page.