PatchSiren cyber security CVE debrief
CVE-2023-50821 Siemens CVE debrief
CVE-2023-50821 is a medium-severity input validation vulnerability in Siemens SIMATIC WinCC and SIMATIC PCS 7 products. The flaw exists in the login dialog box, where improper input validation allows an attacker to trigger a persistent denial-of-service condition. Published on April 9, 2024, and last modified on January 14, 2025, this vulnerability carries a CVSS 3.1 score of 6.2 (MEDIUM). The attack vector is local, requires low attack complexity, and needs no privileges or user interaction, though the impact is limited to availability (no confidentiality or integrity impact). Siemens has released patches for affected versions, with fixes available for SIMATIC WinCC Runtime Professional V17 Update 8 and later, V18 Update 4 and later, V19 Update 1 and later, SIMATIC WinCC V7.5 SP2 Update 16 and later, V8.0 Update 5 and later, and SIMATIC PCS 7 V9.1 SP2 UC04 and later. As an interim mitigation, organizations can activate SIMATIC Logon in the User Administrator of SIMATIC PCS 7 Operator Stations.
- Vendor
- Siemens
- Product
- SIMATIC PCS 7 V9.1
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2025-01-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2025-01-14
Who should care
Industrial control system operators, OT security teams, and manufacturing organizations using Siemens SIMATIC WinCC or SIMATIC PCS 7 for process visualization and control. Organizations in critical infrastructure sectors (energy, water, chemical, pharmaceutical) with deployed Siemens HMI systems should prioritize patching, particularly where operator stations are accessible to multiple users or located in less physically secure environments.
Technical summary
The vulnerability stems from insufficient input validation in the login dialog of Siemens SIMATIC WinCC and SIMATIC PCS 7 operator interfaces. An attacker with local access can supply malformed input that triggers a persistent denial-of-service condition, rendering the HMI system unavailable until manually recovered. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector, low complexity, no privilege requirements, and high availability impact. The vulnerability does not affect confidentiality or integrity. Siemens addressed this through updates released between July 2024 and January 2025, with specific patch levels documented for each affected product version.
Defensive priority
medium
Recommended defensive actions
- Apply vendor patches: Update SIMATIC WinCC Runtime Professional V17 to Update 8 or later, V18 to Update 4 or later, V19 to Update 1 or later; update SIMATIC WinCC V7.5 to SP2 Update 16 or later, V8.0 to Update 5 or later
- Apply vendor patches: Update SIMATIC PCS 7 V9.1 to SP2 UC04 or later
- Implement interim mitigation: Activate SIMATIC Logon in the User Administrator of SIMATIC PCS 7 Operator Stations until patches can be deployed
- Restrict local access to operator stations to authorized personnel only
- Monitor for anomalous login attempts or unexpected service disruptions on affected HMI systems
- Review and validate input handling in custom extensions or integrations with SIMATIC WinCC/PCS 7
Evidence notes
Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-24-102-02. CVSS vector and scoring confirmed from source. Vendor fix information and product version specifics extracted from CSAF remediation data. Timeline dates (CVE published 2024-04-09, modified 2025-01-14) taken from supplied CVE metadata.
Official resources
-
CVE-2023-50821 CVE record
CVE.org
-
CVE-2023-50821 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09