OTPulse

Siemens SIMATIC S7-1500

MonitorCVSS 7.8ICS-CERT ICSA-21-131-15May 11, 2021
Siemens
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Siemens SIMATIC S7-1500 CPUs (models 1518-4 PN/DP and 1518F-4 PN/DP) are affected by underlying Intel firmware vulnerabilities disclosed in Intel-SA-00391 (CSME/SPS/TXE/AMT/DAL) and Intel-SA-00358 (BIOS), represented by CVE-2020-8744 and CVE-2020-0591. These vulnerabilities allow local privilege escalation and unauthorized code execution on the controller hardware. Siemens is working on BIOS and chipset microcode updates but has not yet released patches for these products. Until updates are available, Siemens recommends network protection and adherence to operational security guidelines.

What this means
What could happen
An attacker with local access to the affected SIMATIC S7-1500 CPUs could exploit Intel firmware vulnerabilities (CSME, SPS, BIOS) to escalate privileges, read sensitive data, or execute code on the controller, potentially disrupting critical process logic or safety functions.
Who's at risk
Water and electric utilities, wastewater treatment plants, and any facility using Siemens SIMATIC S7-1500 CPUs (specifically the 1518-4 PN/DP and 1518F-4 PN/DP models) for critical process automation, including PLC and safety controller deployments. The risk is greatest where these CPUs have local network connectivity or shared engineering workstations.
How it could be exploited
An attacker with local access to the CPU (e.g., via maintenance interface, USB, or physical access to engineering workstation connected to the device) could exploit the underlying Intel firmware vulnerabilities. The attacker would leverage the low complexity local privilege escalation flaws in Intel CSME or BIOS to gain elevated access and run arbitrary code on the controller itself.
Prerequisites
  • Local system access to the CPU or connected engineering workstation
  • Low privilege user credentials or physical proximity to the device
  • No network isolation from local subnets
  • Ability to interact with the CPU's firmware interface or BIOS during boot
No patch available from SiemensLocal privilege escalation possibleAffects multiple safety-critical CPU modelsLow complexity exploit
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant)All versionsNo fix (EOL)
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFPAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGRestrict physical and local access to SIMATIC S7-1500 CPUs and engineering workstations to authorized personnel only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Siemens security advisories for BIOS and chipset microcode updates and deploy them immediately when available in a scheduled maintenance window
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP. Apply the following compensating controls:
HARDENINGApply network segmentation to isolate the control network from general IT infrastructure and limit local access paths
HARDENINGImplement credential controls and multi-factor authentication on engineering workstations that connect to these CPUs
HARDENINGFollow Siemens operational guidelines for Industrial Security (available at siemens.com/cert/operational-guidelines-industrial-security) to harden the operating environment
View full CISA ICS-CERT advisory
API: /api/v1/advisories/2d9eb3b6-67fe-475c-8ce2-afec80c5c916

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC S7-1500 | CVSS 7.8 - OTPulse