Siemens LOGO!8 Devices

Monitor7.5ICS-CERT ICSA-19-162-03Jun 11, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens LOGO!8 small PLCs (models 6ED1052-xyyxx-0BA8 and 6ED1052-xyy08-0BA0) contain a buffer overflow or buffer over-read vulnerability (CWE-119, CWE-384) in message handling. An unauthenticated attacker on the network can send a specially crafted packet to cause the device to crash, resulting in loss of control function. The device must be restarted to resume operation. Affected firmware versions are v1.80.xx, v1.81.xx (6ED1052-xyyxx-0BA8 models FS:01–FS:06), and versions prior to v1.82.02 (6ED1052-xyy08-0BA0 FS:01). No public exploits are known, but exploitation requires network-level access and no credentials.

What this means

What could happen

An attacker with network access to a LOGO!8 device could cause a denial of service, disrupting the small PLC's ability to execute control logic for automation tasks like pump starts, valve positioning, or alarm responses.

Who's at risk

Water authorities and utilities operating Siemens LOGO!8 PLCs (including SIPLUS hardened variants) for local process control—such as small pump stations, tank level management, or auxiliary automation loops—should assess exposure if these devices are reachable from any untrusted network.

How it could be exploited

An attacker on the network sends a malformed packet or message to the LOGO!8 device on its control port. The device fails to properly validate the input (buffer overflow or buffer over-read), crashes, and stops responding to commands. Operations requiring the PLC restart to resume.

Prerequisites

Network-level access to the LOGO!8 device (e.g., connected to plant network or accessible via Internet without firewall protection)
No authentication required; the vulnerability can be triggered by an unauthenticated attacker
The device must be running one of the affected firmware versions

Remotely exploitableNo authentication requiredLow complexity attackDenial of service impact on control operationsNo patch available for some variants (end-of-life)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

SIEMENS LOGO!8 (incl. SIPLUS variants): 6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware≥ 6ED1052-xyyxx-0BA8 FS:01|<6ED1052-xyyxx-0BA8 FS:06|V1.80.xx|V1.81.xxNo fix yet

SIEMENS LOGO!8 (incl. SIPLUS variants): 6ED1052-xyy08-0BA0 FS:01 / Firmware<6ED1052-xyyxx-0BA0 FS:01 firmware V1.82.02No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to LOGO!8 devices using firewall rules; block inbound connections from untrusted networks and the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LOGO!8 6ED1052-xyy08-0BA0 FS:01 firmware to version 1.82.02 or later

HOTFIXFor LOGO!8 6ED1052-xyyxx-0BA8 FS:01 to FS:06 with firmware v1.80.xx or v1.81.xx: consult Siemens support for available updates, as end-of-life status may apply; in the interim, apply network segmentation

Long-term hardening

0/2

HARDENINGPlace LOGO!8 devices on a segregated control network that is not reachable from office/business networks or the Internet

HARDENINGFollow Siemens operational guidelines for Industrial Security and apply defense-in-depth network architecture with demilitarized zones and access controls

CVEs (2)

CVE-2019-6571 CVE-2019-6584

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ad9e4b20-dc5d-4817-8d6f-b415fec0814f