CVE-2021-40363: 
Siemens SIMATIC WinCC vulnerability analysis and mitigation

A vulnerability has been identified in multiple versions of Siemens SIMATIC PCS 7 and SIMATIC WinCC systems. The vulnerability (CVE-2021-40363) affects various versions including SIMATIC PCS 7 V8.2, V9.0, V9.1, and SIMATIC WinCC versions V7.4, V7.5, V15, V16, and V17. The issue was discovered and disclosed in early 2022, with the first public advisory released in February 2022 (NVD, CISA).

The vulnerability stems from the affected component storing credentials of a local system account in a potentially publicly accessible project file using an outdated cipher algorithm. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified under CWE-312 (Cleartext Storage of Sensitive Information) and CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory) (NVD).

If successfully exploited, an attacker could use this vulnerability to brute force the credentials and potentially take over the system. This could lead to unauthorized access to sensitive information and system compromise (CISA).

Siemens has released updates for affected products and recommends updating to the latest versions. For systems where updates are not immediately available, Siemens recommends hardening the application's host to prevent local access by untrusted personnel. Additionally, organizations should configure their environment according to Siemens' operational guidelines for industrial security (CISA).