HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Siemens WinCC Certificate Manager Stores Keys in Cleartext (CVE‑2026‑24349) – Critical Risk to Industrial Control Systems

Siemens' WinCC Certificate Manager was found to store private key material in cleartext, exposing critical‑infrastructure operators to credential theft. The issue affects WinCC Unified PC Runtime versions V16‑V21. For compliance teams, the flaw highlights a control‑mapping gap in SOC 2 encryption‑at‑rest requirements.

LiveThreat™ Intelligence · 📅 June 23, 2026· 📰 cisa.gov
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
cisa.gov

Siemens WinCC Certificate Manager Stores Keys in Cleartext (CVE‑2026‑24349) – Critical Risk to Industrial Control Systems

What It Is – The WinCC Certificate Manager component of Siemens SIMATIC WinCC Unified PC Runtime fails to protect private key material, storing it in cleartext on disk. An attacker with local or remote access could extract these keys and decrypt communications or impersonate trusted devices.

Exploitability – No public exploit code is known, but the vulnerability is trivial to leverage once an adversary gains system access. CVSS v3.1 base score 7.1 (High).

Affected Products – Siemens WinCC Certificate Manager bundled with SIMATIC WinCC Unified PC Runtime versions V16‑V21 (all variants, with V21 fixed only in versions ≥ 21.0.2).

Why It Matters for Compliance & Audit Readiness

  • Control Mapping – The flaw reveals a gap in the “Encryption at rest” and “Key Management” controls required by SOC 2 CC6.1 and ISO 27001 A.10.1. Continuous evidence of proper key protection is now a audit‑critical evidence point.
  • Audit Trail – Demonstrating that key material is never stored in cleartext (or that compensating controls are in place) provides defensible proof of due‑diligence for regulators and enterprise customers.
  • Enterprise Buyer Expectations – Critical‑infrastructure operators increasingly demand SOC 2‑ready evidence that vendors enforce strong cryptographic hygiene before signing contracts.

Recommended Actions

  • Patch Immediately – Deploy Siemens WinCC Unified PC Runtime ≥ 21.0.2 (or the latest patch for earlier versions).
  • Validate Key Storage – Verify that private keys are stored only in encrypted containers or hardware security modules; document findings as control evidence.
  • Update Control Documentation – Map the remediation to SOC 2 CC6.1 (Encryption) and ISO 27001 A.10.1, capturing screenshots or configuration exports for audit.
  • Implement Continuous Monitoring – Use automated configuration‑drift tools to alert on any re‑introduction of cleartext key storage.

Source: CISA Advisory – ICSA‑26‑174‑01

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-01

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →