Siemens SIMATIC S7-300 CPU Denial-of-Service Vulnerability
Act NowICS-CERT ICSA-15-064-04Dec 6, 2015
Summary
The SIMATIC S7-300 CPU family contains a denial-of-service vulnerability (CWE-404) in which a specially crafted network packet sent to the S7 protocol port can cause the CPU to become unresponsive. All versions of the S7-300 are affected. Siemens has not released a patch and does not plan to, as the S7-300 is legacy equipment that reached end-of-life. The vulnerability requires only network access to the device and no prior authentication.
What this means
What could happen
An attacker who can reach the S7-300 CPU over the network can send a specially crafted packet that causes the device to stop responding, disrupting any process controlled by the PLC until it is manually restarted.
Who's at risk
Water treatment plants, electrical generation and distribution systems, and wastewater facilities that rely on Siemens S7-300 PLCs for pump control, valve actuation, or other critical automation logic. Any organization using S7-300 CPUs in process control or safety-critical applications should assess exposure.
How it could be exploited
An attacker with network access to port 102 (Siemens S7 protocol) on the PLC can send a malformed packet that triggers a denial-of-service condition, causing the CPU to hang or crash without requiring authentication or user interaction.
Prerequisites
- Network access to port 102 (S7 protocol)
- Line of sight to the PLC over the network (no credential requirement)
Remotely exploitableNo authentication requiredNo patch availableHigh EPSS score (50.6%)Affects industrial control equipment
Exploitability
High exploit probability (EPSS 50.6%)
Affected products (1)
ProductAffected VersionsFix Status
SIMATIC S7-300 CPU family: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2HARDENINGImplement network segmentation to restrict access to the S7-300 CPU; allow only engineering workstations and HMI systems that legitimately need to communicate with the PLC on port 102
HARDENINGDeploy a firewall or industrial demilitarized zone (DMZ) between corporate networks and the production network containing S7-300 devices
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to and from the S7-300 for unexpected connections or malformed S7 protocol packets
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6c75d4a0-4c59-418b-acb9-582ba286f622