Siemens WinCC Certificate Manager Stores Keys in Cleartext (CVE‑2026‑24349) – Critical Risk to Industrial Control Systems
What It Is – The WinCC Certificate Manager component of Siemens SIMATIC WinCC Unified PC Runtime fails to protect private key material, storing it in cleartext on disk. An attacker with local or remote access could extract these keys and decrypt communications or impersonate trusted devices.
Exploitability – No public exploit code is known, but the vulnerability is trivial to leverage once an adversary gains system access. CVSS v3.1 base score 7.1 (High).
Affected Products – Siemens WinCC Certificate Manager bundled with SIMATIC WinCC Unified PC Runtime versions V16‑V21 (all variants, with V21 fixed only in versions ≥ 21.0.2).
Why It Matters for Compliance & Audit Readiness
- Control Mapping – The flaw reveals a gap in the “Encryption at rest” and “Key Management” controls required by SOC 2 CC6.1 and ISO 27001 A.10.1. Continuous evidence of proper key protection is now a audit‑critical evidence point.
- Audit Trail – Demonstrating that key material is never stored in cleartext (or that compensating controls are in place) provides defensible proof of due‑diligence for regulators and enterprise customers.
- Enterprise Buyer Expectations – Critical‑infrastructure operators increasingly demand SOC 2‑ready evidence that vendors enforce strong cryptographic hygiene before signing contracts.
Recommended Actions
- Patch Immediately – Deploy Siemens WinCC Unified PC Runtime ≥ 21.0.2 (or the latest patch for earlier versions).
- Validate Key Storage – Verify that private keys are stored only in encrypted containers or hardware security modules; document findings as control evidence.
- Update Control Documentation – Map the remediation to SOC 2 CC6.1 (Encryption) and ISO 27001 A.10.1, capturing screenshots or configuration exports for audit.
- Implement Continuous Monitoring – Use automated configuration‑drift tools to alert on any re‑introduction of cleartext key storage.
Source: CISA Advisory – ICSA‑26‑174‑01