Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update B)

MonitorCVSS 5.3ICS-CERT ICSA-19-344-06Aug 13, 2019

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens S7-1200 and S7-1500 CPU families, along with related ET200SP controllers and SIMATIC S7-PLCSIM Advanced software, contain vulnerabilities in network traffic validation and program code integrity verification (CWE-327: Use of Broken or Risky Cryptographic Algorithm; CWE-353: Missing Support for Integrity Check). An attacker with network access to the S7 protocol port (102) can modify network traffic or inject altered user program code into the CPU without proper authentication or integrity checks. This could allow unauthorized modification of automation logic and process control. The vulnerabilities affect S7-1200 firmware versions before 4.4.0, S7-1500 firmware versions before 2.8.1, S7-1500 Software Controller before 20.8, PLCSIM Advanced before 3.0, and ET200SP controllers before version 20.8. SIMATIC Drive Controller family is not affected by these vulnerabilities.

What this means

What could happen

An attacker with network access could modify network traffic to or from your S7-1200 or S7-1500 PLC, or tamper with the user program code stored on the CPU, potentially altering automation logic and process behavior.

Who's at risk

This affects manufacturers and transportation operators using Siemens S7-1200 or S7-1500 PLCs, ET200SP controllers, and related industrial automation equipment. Impact is most significant for plants where PLCs control critical processes like conveyor systems, bottling lines, or rail switching—any equipment where altered program logic could cause production stops, product quality issues, or safety hazards.

How it could be exploited

An attacker on the network sends specially crafted packets to port 102 (Siemens S7 protocol) on the PLC. The CPU does not properly validate the integrity of program data or network traffic, allowing the attacker to inject modified code or intercept and alter program downloads without authentication.

Prerequisites

Network access to the PLC on port 102 (Siemens S7 protocol)
PLC must be accessible from the attacker's network segment
No authentication required; Access Protection feature is optional and not enabled by default

Remotely exploitableNo authentication requiredLow attack complexityAffects integrity of automation logicWidespread in manufacturing and transportation

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (25)

17 with fix4 pending4 EOL

ProductAffected VersionsFix Status

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)≥ V20.8No fix (EOL)

SIMATIC Drive Controller familyAll versionsNo fix (EOL)

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V20.820.8

SIMATIC S7-1200 CPU family (incl. SIPLUS variants)< V4.4.04.4.0

SIMATIC S7-1200 CPU family (incl. SIPLUS variants)≥ V4.4.0No fix yet

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDEnable Access Protection feature on all affected S7-1200 and S7-1500 CPUs to require authentication for program modifications

HARDENINGRestrict network access to S7 protocol port 102 using firewall rules; only allow connections from engineering workstations and HMI servers

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMATIC S7-1500 Software Controller

HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 20.8 or later

SIMATIC S7-PLCSIM Advanced

HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 3.0 or later

All products

HOTFIXUpdate SIMATIC S7-1200 CPU family to firmware version 4.4.0 or later

HOTFIXUpdate SIMATIC S7-1500 CPU family to firmware version 2.8.1 or later

HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 20.8 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants), SIMATIC Drive Controller family, SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants), SIMATIC Drive Controller family: All. Apply the following compensating controls:

HARDENINGIsolate control system networks from business networks using air gaps or firewalls; do not expose PLCs directly to the Internet

HARDENINGIf remote access to PLCs is required, route all connections through a VPN with encryption and access controls

CVEs (2)

CVE-2019-10929 CVE-2019-10943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f1da30fc-8a6e-4ebc-99c6-a9c4061601c2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.