CVE-2019-10918
CVE-2019-10918 is a high-severity vulnerability in Siemens Simatic Pcs 7 with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-749.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.0
- EPSS exploit prediction: 2% (78th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-749
- Affected product: Siemens Simatic Pcs 7
- Published:
- Last modified:
Description
A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). An authenticatd attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. The vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires authentication with a low-privileged user account and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.
Frequently asked questions
- What is CVE-2019-10918?
- A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). An authenticatd attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. The vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires authentication with a low-privileged user account and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.
- How severe is CVE-2019-10918?
- CVE-2019-10918 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-10918 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (78th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-10918?
- CVE-2019-10918 primarily affects Siemens Simatic Pcs 7. In total, 12 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-10918?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2019-10918 published?
- CVE-2019-10918 was published on 2019-05-14 and last updated on 2026-06-17.
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-697412.pdf
- https://www.us-cert.gov/ics/advisories/ICSA-19-134-08
Affected products (12)
- cpe:2.3:a:siemens:simatic_pcs_7:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_pcs_7:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_\(tia_portal\):13.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_\(tia_portal\):14.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_\(tia_portal\):15.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_professional:*:*:*:*:*:*:*:*
More vulnerabilities in Siemens Simatic Pcs 7
- CVE-2023-25910 — Critical (CVSS 10.0): A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9.1 SP2 UC04), SIMATIC S7-PM (All versions < V5.7…
- CVE-2014-8551 — Critical (CVSS 10.0): The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7…
- CVE-2021-40358 — Critical (CVSS 9.9): A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3…
- CVE-2019-10922 — Critical (CVSS 9.8): A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 and newer (All…
- CVE-2021-40360 — High (CVSS 8.8): A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC…
- CVE-2019-10916 — High (CVSS 8.8): A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions…
All CVEs affecting Siemens Simatic Pcs 7 →
Other CWE-749 vulnerabilities
- CVE-2023-40151 — Critical (CVSS 10.0): When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK…
- CVE-2026-55454 — Critical (CVSS 9.9): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy…
- CVE-2026-30957 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors…
- CVE-2026-30921 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors…
- CVE-2019-18342 — Critical (CVSS 9.9): A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default…
- CVE-2025-59403 — Critical (CVSS 9.8): The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks…