Siemens LOGO! 8 BM (Update A)

Act Now9.4ICS-CERT ICSA-19-134-04May 14, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LOGO! 8 BM programmable logic controllers contain multiple vulnerabilities (CWE-306: Missing Authentication, CWE-321: Use of Hard-Coded Cryptographic Key, CWE-256: Unprotected Storage of Credentials). These allow an attacker on the network to gain unauthorized access and execute arbitrary commands without authentication. Affected versions are all releases before 8.3. The vulnerabilities are remotely exploitable with high impact on confidentiality and integrity.

What this means

What could happen

An attacker with network access could remotely command a LOGO! 8 BM controller without any login credentials, potentially changing program logic, setpoints, or stopping automated processes critical to water treatment or electric distribution. This could disrupt operations or allow manipulation of industrial equipment.

Who's at risk

Water and wastewater treatment facilities and electric utilities using Siemens LOGO! 8 BM programmable controllers for process automation should assess whether this device is part of their distributed control architecture. LOGO! controllers are commonly used in smaller automation tasks, tank level monitoring, pump control, and equipment interlocks. Any facility with these controllers exposed to internal networks (even non-DMZ networks) faces risk of unauthorized process manipulation.

How it could be exploited

An attacker on the network sends commands directly to the LOGO! 8 BM controller on port 502 (Modbus TCP) or the engineering access port. Because the device lacks authentication checks (CWE-306) and may use hard-coded or unprotected credentials (CWE-321, CWE-256), the attacker can remotely upload malicious program code or alter running logic without a valid user account.

Prerequisites

Network connectivity to the LOGO! 8 BM device (typically port 502 for Modbus TCP or engineering interface port)
Device running firmware version before 8.3
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.4)Hard-coded or unprotected credentials (CWE-321, CWE-256)

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

LOGO! 8 BM (incl.'SIPLUS variants): All<V8.38.3

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDConfigure firewall rules to restrict network access to LOGO! 8 BM devices; allow only authorized engineering workstations and control system hosts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LOGO! 8 BM firmware to version 8.3 or later

Long-term hardening

0/3

HARDENINGIsolate LOGO! 8 BM devices on a dedicated industrial network segment, not on the general IT network

HARDENINGDisable remote access to LOGO! 8 BM unless absolutely required; if required, use a VPN with multi-factor authentication

HARDENINGApply defense-in-depth security controls as described in Siemens LOGO! 8 BM system manual and Siemens operational security guidelines

CVEs (3)

CVE-2019-10919 CVE-2019-10920 CVE-2019-10921

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/99ffa194-ae61-4aa7-a10c-fb7da977ff2e