SSA-063511: Insufficient protection of key material in WinCC Certificate Manager

HIGH

CVSS 7.1

Date 2026-06-09T00:00:00+00:00

Source siemens-productcert

Published by Siemens ProductCERT

// Description

WinCC Certificate Manager insufficiently protects key material that could allow an attacker to extract sensitive information. Siemens has released a new version for SIMATIC WinCC Unified PC Runtime V21 and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.

// Vulnerabilities (1)

CVE ID	CVSS Score	Severity	Description
CVE-2026-24349	7.1	high	CVE-2026-24349. Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.

// Affected Products (6)

Vendor	Product	Asset Type	Purdue Level	Firmware
Siemens	Unknown	hmi	L2	--
Siemens	Unknown	hmi	L2	--
Siemens	Unknown	hmi	L2	--
Siemens	Unknown	hmi	L2	--
Siemens	Unknown	hmi	L2	--
Siemens	Unknown	hmi	L2	--

// Remediations (2)

Patch: Update to V21 Update 2 or later version

Update to V21 Update 2 or later version

Mitigation: The affected product may be operated only by personnel qualified for the specific task in accordance

The affected product may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with the affected product.

// References

Siemens ProductCERT SSA-063511
Siemens ProductCERT https://cert-portal.siemens.com/productcert/html/ssa-063511.html
Siemens ProductCERT https://cert-portal.siemens.com/productcert/csaf/ssa-063511.json