Siemens SIMATIC S7-1500

Monitor7.8ICS-CERT ICSA-21-131-15May 11, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens SIMATIC S7-1500 CPUs (models 1518-4 PN/DP and 1518F-4 PN/DP) are affected by underlying Intel firmware vulnerabilities disclosed in Intel-SA-00391 (CSME/SPS/TXE/AMT/DAL) and Intel-SA-00358 (BIOS), represented by CVE-2020-8744 and CVE-2020-0591. These vulnerabilities allow local privilege escalation and unauthorized code execution on the controller hardware. Siemens is working on BIOS and chipset microcode updates but has not yet released patches for these products. Until updates are available, Siemens recommends network protection and adherence to operational security guidelines.

What this means

What could happen

An attacker with local access to the affected SIMATIC S7-1500 CPUs could exploit Intel firmware vulnerabilities (CSME, SPS, BIOS) to escalate privileges, read sensitive data, or execute code on the controller, potentially disrupting critical process logic or safety functions.

Who's at risk

Water and electric utilities, wastewater treatment plants, and any facility using Siemens SIMATIC S7-1500 CPUs (specifically the 1518-4 PN/DP and 1518F-4 PN/DP models) for critical process automation, including PLC and safety controller deployments. The risk is greatest where these CPUs have local network connectivity or shared engineering workstations.

How it could be exploited

An attacker with local access to the CPU (e.g., via maintenance interface, USB, or physical access to engineering workstation connected to the device) could exploit the underlying Intel firmware vulnerabilities. The attacker would leverage the low complexity local privilege escalation flaws in Intel CSME or BIOS to gain elevated access and run arbitrary code on the controller itself.

Prerequisites

Local system access to the CPU or connected engineering workstation
Low privilege user credentials or physical proximity to the device
No network isolation from local subnets
Ability to interact with the CPU's firmware interface or BIOS during boot

No patch available from SiemensLocal privilege escalation possibleAffects multiple safety-critical CPU modelsLow complexity exploit

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant)All versionsNo fix (EOL)

SIMATIC S7-1500 CPU 1518F-4 PN/DP MFPAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict physical and local access to SIMATIC S7-1500 CPUs and engineering workstations to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Siemens security advisories for BIOS and chipset microcode updates and deploy them immediately when available in a scheduled maintenance window

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP. Apply the following compensating controls:

HARDENINGApply network segmentation to isolate the control network from general IT infrastructure and limit local access paths

HARDENINGImplement credential controls and multi-factor authentication on engineering workstations that connect to these CPUs

HARDENINGFollow Siemens operational guidelines for Industrial Security (available at siemens.com/cert/operational-guidelines-industrial-security) to harden the operating environment

CVEs (2)

CVE-2020-0591 CVE-2020-8744

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2d9eb3b6-67fe-475c-8ce2-afec80c5c916