Critical Vulnerability Summary Vulnerability Overview Description: Mingzheng Li discovered an ActiveX vulnerability in Siemens' SIMATIC WinCC and SIMATIC PCS 7. Impact: The vulnerability can be exploited remotely, potentially causing component crashes or leaking application memory contents. Affected Products SIMATIC WinCC: All versions below V7.2 SIMATIC PCS 7: All versions below V8.0 SP1 Vulnerability Details CVE ID: CVE-2016-9160 CVSS Score: 4.2 Exploitation Method: The vulnerability cannot be exploited remotely without user interaction; it requires a local user to click on a malicious link. Public Exploit Code: No known public exploit code exists for this vulnerability. Mitigation Measures Upgrade to the latest software versions provided by SIEMENS: SIMATIC WinCC 7.2 or later, and SIMATIC PCS 7 V8.0 SP2 or later. Prior to upgrading, SIEMENS recommends running ActiveX components only on trusted sites and applying defense-in-depth principles. Reference Links SIEMENS Security Advisory: http://www.siemens.com/cert/en/cert-security-advisories.htm SIEMENS Industrial Security Operational Guidelines: https://www.siemens.com/cert/operational-guidelines-industrial-security