Back to Intelligence

Siemens WinCC Certificate Manager Key Material Exposure: Detection and Hardening (ICSA-26-174-01)

SA
Security Arsenal Team
June 24, 2026
6 min read

Defenders operating in Operational Technology (OT) environments face a critical challenge following the release of CISA Advisory ICSA-26-174-01. A vulnerability in the Siemens WinCC Certificate Manager—component of the SIMATIC WinCC Unified PC Runtime—allows for the insufficient protection of key material. This flaw, classified with a CVSS v3 score of 7.1 (High), enables an attacker who has gained a foothold on the engineering station or runtime server to extract sensitive cryptographic keys.

This is not merely a data leak; the compromise of private keys facilitates Man-in-the-Middle (MitM) attacks, decryption of operational traffic, and potential manipulation of industrial processes. With affected versions spanning V16 through V21, immediate action is required to identify exposed assets and apply the necessary patches or mitigations.

Technical Analysis

Affected Component: The vulnerability resides specifically within the WinCC Certificate Manager, responsible for handling cryptographic material for SIMATIC WinCC Unified PC Runtime systems.

Affected Products & Versions:

  • SIMATIC WinCC Unified PC Runtime V16 (All versions)
  • SIMATIC WinCC Unified PC Runtime V17 (All versions)
  • SIMATIC WinCC Unified PC Runtime V18 (All versions)
  • SIMATIC WinCC Unified PC Runtime V19 (All versions)
  • SIMATIC WinCC Unified PC Runtime V20 (All versions)
  • SIMATIC WinCC Unified PC Runtime V21 (Versions prior to intdot/21.0.2)

Vulnerability Mechanics: The Certificate Manager fails to implement sufficient protection mechanisms for private key material stored on the system. In many ICS configurations, cryptographic keys are stored in formats that may be reversible or accessible with standard OS privileges. An attacker with local access—perhaps achieved via phishing or a separate service exploit—can navigate to the storage location of these keys and extract them.

Exploitation Impact: Successful extraction of key material allows an attacker to:

  1. Decrypt Communications: Capture and decrypt traffic between the HMI (Human-Machine Interface) and PLCs or engineering stations.
  2. Impersonate Systems: Sign malicious code or configuration updates using the trusted keys of the compromised runtime.
  3. Bypass Security Controls: Subvert authentication mechanisms relying on the compromised certificates.

CVSS Score: 7.1 (High) Vendor Advisory: Siemens Security Advisory

Detection & Response

Detecting this specific vulnerability requires identifying the presence of the affected software versions and monitoring for unauthorized access to the key storage directories. Since the flaw is passive (poor protection of data at rest), detection rules focus on Asset Discovery (identifying the vulnerable version) and File Access Monitoring (detecting suspicious reads of certificate stores).

Sigma Rules

YAML
---
title: Potential Siemens WinCC Unified Vulnerable Version Detection
id: 2a8f9b12-4c7e-11ef-9454-0242ac120002
status: experimental
description: Detects the presence of potentially vulnerable SIMATIC WinCC Unified PC Runtime versions (V16-V21) based on file existence patterns.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-01
author: Security Arsenal
date: 2026/06/23
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Siemens\Automation\WinCCUnified\'
    TargetFilename|endswith:
      - '\PcRuntime.exe'
  condition: selection
falsepositives:
  - Legitimate installation of WinCC Unified
level: informational
---
title: Suspicious Access to WinCC Certificate Stores
id: 3b9g0c23-4d8f-11ef-a567-0242ac120003
status: experimental
description: Detects unusual processes attempting to read or access certificate directories used by Siemens WinCC Unified, indicating potential key extraction attempts.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-01
author: Security Arsenal
date: 2026/06/23
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: windows
detection:
  selection_paths:
    TargetFilename|contains:
      - '\Siemens\Automation\WinCCUnified\'
      - '\WinCC\CertificateManager\'
  selection_exclusions:
    Image|endswith:
      - '\PcRuntime.exe'
      - '\CertificateManager.exe'
      - '\explorer.exe'
      - '\svchost.exe'
  condition: selection_paths and not selection_exclusions
falsepositives:
  - Administrator browsing directories
  - Legitimate backup operations
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for the existence of the vulnerable runtime executable and flags versions that fall within the affected range if file versioning data is available in DeviceFileEvents.

KQL — Microsoft Sentinel / Defender
// Hunt for Siemens WinCC Unified Runtime installations
DeviceFileEvents
| where FolderPath contains @"\Siemens\Automation\WinCCUnified\" 
| where FileName =~ "PcRuntime.exe"
| extend FileVersion = tostring(parse_(AdditionalFields)["FileVersion"])
| project Timestamp, DeviceName, FolderPath, FileName, FileVersion, InitiatingProcessAccountName, InitiatingProcessCommandLine
| summarize arg_max(Timestamp, *) by DeviceName, FolderPath

Velociraptor VQL

This artifact hunts for the installation of WinCC Unified and attempts to parse the file version metadata to determine if the asset is vulnerable.

VQL — Velociraptor
-- Hunt for Siemens WinCC Unified PC Runtime versions
SELECT 
  OSPath, 
  Size, 
  Mtime, 
  parse_string(data=Name, regex="PcRuntime.exe") as Executable
FROM glob(globs="C:\\Program Files\\Siemens\\Automation\\WinCCUnified\\**\\PcRuntime.exe")
WHERE Executable

Remediation Script (PowerShell)

This PowerShell script checks the local system for the affected WinCC Unified versions and reports the status.

PowerShell
# Siemens WinCC Unified Vulnerability Check
# Checks for versions V16 - V21 (< 21.0.2)

$PathsToCheck = @(
    "C:\Program Files\Siemens\Automation\WinCCUnified\",
    "C:\Program Files (x86)\Siemens\Automation\WinCCUnified\"
)

Write-Host "[+] Scanning for SIMATIC WinCC Unified PC Runtime..."

$FoundVulnerable = $false

foreach ($Path in $PathsToCheck) {
    if (Test-Path $Path) {
        Write-Host "[+] Installation found at: $Path"
        
        # Search for PcRuntime.exe to determine version
        $ExePath = Get-ChildItem -Path $Path -Recurse -Filter "PcRuntime.exe" -ErrorAction SilentlyContinue | Select-Object -First 1
        
        if ($ExePath) {
            $VersionInfo = $ExePath.VersionInfo
            $FileVersion = $VersionInfo.FileVersion
            Write-Host "[!] Detected Version: $FileVersion"
            
            # Simple version check logic (V16 through V21 are vulnerable)
            # Assuming standard Siemens versioning format like 16.0.x.x, 21.0.x.x
            if ($FileVersion -match "^1[6-9]\." -or $FileVersion -match "^20\." -or ($FileVersion -match "^21\." -and $VersionInfo.FileMinorPart -lt 2)) {
                Write-Host "[CRITICAL] Vulnerable version detected per ICSA-26-174-01." -ForegroundColor Red
                Write-Host "    Action Required: Update to V21.0.2 or later, or apply strict mitigations."
                $FoundVulnerable = $true
            } elseif ($FileVersion -match "^21\." -and $VersionInfo.FileMinorPart -ge 2) {
                Write-Host "[OK] Version appears patched (V21.0.2+)." -ForegroundColor Green
            }
        }
    }
}

if (-not $FoundVulnerable) {
    Write-Host "[+] No vulnerable WinCC Unified installations detected on this host."
}

Remediation

Siemens has released updates to address the insufficient protection of key material. Apply the following remediation steps immediately:

  1. Update SIMATIC WinCC Unified PC Runtime V21:
SQL
    Update to the latest version (V21.0.2 intdot or later) which includes the fix. Download the update from the Siemens customer support portal.

  1. Mitigations for V16, V17, V18, V19, and V20: Siemens states that fixes are not available for these older versions. Apply the following specific countermeasures:

    • Restrict Access: Enforce strict Access Control Lists (ACLs) on the file system directories storing the certificate material. Ensure only the service account running the WinCC Runtime has read access.
    • Network Segmentation: Ensure the engineering stations and runtime servers are isolated in a dedicated VLAN/Zone, strictly separated from the corporate IT network and untrusted areas.
    • Least Privilege: Ensure local administrator access is revoked from all non-essential personnel.

  2. General Hardening:

    • Review and rotate any certificates that may have been exposed on systems running the vulnerable versions prior to remediation.
    • Monitor for suspicious file access events using the detection rules provided above.

Vendor Advisory: ICSA-26-174-01

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemsiemenswinccics-ot

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Siemens WinCC Certificate Manager Key Material Exposure: Detection and Hardening (ICSA-26-174-01) | Security Arsenal | Security Arsenal