Siemens SIMATIC CP (Update A)

Act NowCVSS 8.8ICS-CERT ICSA-21-222-07Aug 10, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SIMATIC CP 1543-1 and CP 1545-1 devices contain vulnerabilities in the embedded ProFTPD server (CWE-125: out-of-bounds read, CWE-416: use-after-free). These flaws could allow a remote attacker to read sensitive information or execute arbitrary code if FTP is enabled and accessed with valid credentials. The vulnerabilities affect CP 1543-1 firmware versions prior to 3.0 and CP 1545-1 versions prior to 1.1. FTP is disabled by default, but if enabled for file management or remote access, the device becomes exploitable.

What this means

What could happen

An attacker with network access to the FTP service could read sensitive data or execute arbitrary code on the SIMATIC CP communication processor, potentially disrupting industrial network connectivity or modifying network traffic for connected PLCs and devices.

Who's at risk

This affects any organization using Siemens SIMATIC CP 1543-1 or CP 1545-1 communication processors in industrial networks. These are common in utilities, manufacturing, and critical infrastructure that rely on Siemens S7 communications. If FTP is enabled for remote firmware management or file transfer, the devices are at risk.

How it could be exploited

An attacker sends a specially crafted FTP command to the embedded ProFTPD server listening on port 21/TCP. If the FTP service is enabled and the attacker has at least one valid credential on the system, the ProFTPD vulnerability (CWE-125 or CWE-416) could be triggered to read memory or execute code on the CP module itself.

Prerequisites

Network access to port 21/TCP on the SIMATIC CP device
Embedded FTP server must be enabled (disabled by default)
Valid login credentials for FTP authentication

remotely exploitablehigh EPSS score (68.9%)requires authentication but default FTP may be weakaffects network connectivity for control systemsthird-party component vulnerability (ProFTPD)

Exploitability

Likely to be exploited — EPSS score 62.3%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SIMATIC CP 1543-1 (incl. SIPLUS variants)<V3.03.0

SIMATIC CP 1545-1<V1.11.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the embedded FTP server if not required for operations

WORKAROUNDRestrict network access to port 21/TCP to only trusted IP addresses using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SIMATIC CP 1545-1

HOTFIXUpdate SIMATIC CP 1545-1 to firmware version 1.1 or later

All products

HOTFIXUpdate SIMATIC CP 1543-1 to firmware version 3.0 or later

Long-term hardening

0/1

HARDENINGIsolate SIMATIC CP devices from the business network and Internet behind a firewall

CVEs (2)

CVE-2020-9272 CVE-2020-9273

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f5b6c662-d231-4583-b7b2-067252ccbb81

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.