Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.
The TIA Portal (Totally Integrated Automation Portal) is a piece of software from Siemens that gives organizations unrestricted access to the company’s automation services.
Researchers at industrial cybersecurity firm Nozomi Networks discovered that the default installation of the TIA Portal is affected by two high severity improper file permission vulnerabilities.
One of them, CVE-2018-11453, allows an attacker with access to the local file system to insert specially crafted files that can cause the TIA Portal to enter a denial-of-service (DoS) condition or allow the hacker to execute arbitrary code. Exploiting the flaw does not require special privileges, but the victim needs to attempt to open the TIA Portal for the exploit to be triggered, Siemens said in its advisory.
Nozomi Co-founder and Chief Technology Officer Moreno Carullo told SecurityWeek that the company sent a proof-of-concept (PoC) to ICS-CERT and Siemens that shows how this security hole can be exploited for code execution.
The second vulnerability, CVE-2018-11454, is related to an improper file permission configuration issue in specific TIA Portal directories.
“[The flaw] may allow an attacker with local privileges in the machine where the software is installed to manipulate the resources inside the misconfigured directories (eg., adding a malicious payload),” Carullo explained. “While a legitimate user uses the software suite to transfer configuration (in a licit way) to the targeted device, using the TIA Portal software, a maliciously-added file would be automatically executed by the remote device.”
Register for SecurityWeek’s ICS Cyber Security Conference
Siemens has released updates for SIMATIC STEP7 and SIMATIC WinCC versions 14 and 15 to address the vulnerabilities. For earlier versions, users can prevent exploitation by restricting operating system access to authorized users, and processing GDS files only from trusted sources.
Nozomi believes these types of flaws can pose a significant risk to ICS environments.
“These types of flaws may enable an advanced persistent threat (APT) to be installed in the ICS and act by itself hidden from regular ICS engineers in a plant. So it could be used to build bigger malwares,” Carullo said.
Related: Severe DoS Flaw Discovered in Siemens SIMATIC PLCs
Related: Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
