Siemens leaves older WinCC Certificate Manager versions unpatched

CISA’s advisory is routine in form and ugly in the installed-base detail. CVE-2026-24349 affects Siemens WinCC Certificate Manager in SIMATIC WinCC Unified PC Runtime V16, V17, V18, V19, V20 and V21 before 21.0.2. The flaw is cleartext storage in a file or on disk, scored CVSS 7.1, and Siemens says insufficient protection of key material could allow an attacker to extract sensitive information.

For V21, the instruction is clean: update to V21 Update 2 or a later version. For V16 through V20, Siemens lists the products as affected and says no fix is planned. The mitigation language is the usual OT perimeter and access-control advice: qualified personnel, protected IT environments, reduced network exposure, firewalls, separation from business networks and careful handling of remote access.

That is not useless advice, but it changes the work order. A local-attack vector does not mean harmless in a plant, hospital, transportation system or contractor-operated OT environment where shared workstations, vendor maintenance access and privileged support paths are part of the operating model. If key material can be extracted from disk, the practical control is to shrink the population of people and systems that can touch the host, then prove that shrinkage during audits, incident response and customer reviews.

The long tail is V16 through V20. Asset owners do not just apply a patch and close the ticket. They inventory WinCC Unified PC Runtime versions, confirm whether any V21 hosts remain below 21.0.2, lock down local and remote administrative paths, and decide whether older deployments can live under compensating controls. If those systems sit in environments supporting federal or defense customers, the uncomfortable part is documenting why “no fix planned” is acceptable for systems that still protect operational credentials.