Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update B)

Monitor5.3ICS-CERT ICSA-19-344-06Dec 10, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens S7-1200 and S7-1500 CPU families, along with related ET200SP controllers and SIMATIC S7-PLCSIM Advanced software, contain vulnerabilities in network traffic validation and program code integrity verification (CWE-327: Use of Broken or Risky Cryptographic Algorithm; CWE-353: Missing Support for Integrity Check). An attacker with network access to the S7 protocol port (102) can modify network traffic or inject altered user program code into the CPU without proper authentication or integrity checks. This could allow unauthorized modification of automation logic and process control. The vulnerabilities affect S7-1200 firmware versions before 4.4.0, S7-1500 firmware versions before 2.8.1, S7-1500 Software Controller before 20.8, PLCSIM Advanced before 3.0, and ET200SP controllers before version 20.8. SIMATIC Drive Controller family is not affected by these vulnerabilities.

What this means

What could happen

An attacker with network access could modify network traffic to or from your S7-1200 or S7-1500 PLC, or tamper with the user program code stored on the CPU, potentially altering automation logic and process behavior.

Who's at risk

This affects manufacturers and transportation operators using Siemens S7-1200 or S7-1500 PLCs, ET200SP controllers, and related industrial automation equipment. Impact is most significant for plants where PLCs control critical processes like conveyor systems, bottling lines, or rail switching—any equipment where altered program logic could cause production stops, product quality issues, or safety hazards.

How it could be exploited

An attacker on the network sends specially crafted packets to port 102 (Siemens S7 protocol) on the PLC. The CPU does not properly validate the integrity of program data or network traffic, allowing the attacker to inject modified code or intercept and alter program downloads without authentication.

Prerequisites

Network access to the PLC on port 102 (Siemens S7 protocol)
PLC must be accessible from the attacker's network segment
No authentication required; Access Protection feature is optional and not enabled by default

Remotely exploitableNo authentication requiredLow attack complexityAffects integrity of automation logicWidespread in manufacturing and transportation

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (13)

12 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): All< 2.8.12.8.1

SIMATIC S7-PLCSIM Advanced: All< 3.03.0

SIMATIC S7-1500 Software Controller: All< 20.820.8

SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All< 4.4.04.4.0

SIMATIC ET200SP (incl. SIPLUS variants) Open Controller CPU 1515SP PC: All versionsAll versions20.8

SIMATIC Drive Controller family: All* (only affected by CVE-2019-10943)No fix (EOL)

SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants):≥ 2.8.1 (only affected by CVE-2019-10943)2.8.1

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants):≥ 20.8 (only affected by CVE-2019-10943)20.8

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDEnable Access Protection feature on all affected S7-1200 and S7-1500 CPUs to require authentication for program modifications

HARDENINGRestrict network access to S7 protocol port 102 using firewall rules; only allow connections from engineering workstations and HMI servers

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 CPU family to firmware version 4.4.0 or later

HOTFIXUpdate SIMATIC S7-1500 CPU family to firmware version 2.8.1 or later

HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 20.8 or later

HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 3.0 or later

HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 20.8 or later

Mitigations - no patch available

0/2

SIMATIC Drive Controller family: All has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate control system networks from business networks using air gaps or firewalls; do not expose PLCs directly to the Internet

HARDENINGIf remote access to PLCs is required, route all connections through a VPN with encryption and access controls

CVEs (2)

CVE-2019-10929 CVE-2019-10943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f1da30fc-8a6e-4ebc-99c6-a9c4061601c2