Siemens SIMATIC S7-1200 (Update A)

Plan PatchCVSS 8.1ICS-CERT ICSA-21-222-09Aug 10, 2021

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

SIMATIC S7-1200 PLC firmware V4.5.0 contains an authentication bypass vulnerability when the device was provisioned using TIA Portal V13. An attacker with network access and TIA Portal V13 or later can exploit this flaw to download arbitrary programs to the PLC, bypassing the configured password protection. This affects the S7-1200 CPU family including SIPLUS variants. Siemens has released firmware version 4.5.1 to correct this issue. The vulnerability is not currently known to be exploited in the wild, and successful exploitation requires high attack complexity.

What this means

What could happen

An attacker with TIA Portal V13 or later could bypass password authentication on affected S7-1200 PLCs and load malicious programs, potentially altering production sequences, stopping processes, or damaging equipment.

Who's at risk

Manufacturing facilities and utilities using SIEMENS SIMATIC S7-1200 PLCs (including SIPLUS industrial variants) for process control, packaging, motor control, or any critical automation. The risk is highest if devices were provisioned with TIA Portal V13 while running firmware V4.5.0.

How it could be exploited

An attacker with network access to the PLC and a copy of TIA Portal V13 or later can exploit the authentication bypass to download and run arbitrary PLC programs without knowing the configured password. This requires the PLC was originally provisioned with TIA Portal V13 while running firmware V4.5.0.

Prerequisites

Network access to the SIMATIC S7-1200 PLC (typically port 102 for S7 communication)
Attacker has TIA Portal V13 or later installed
Affected PLC is running firmware V4.5.0
PLC was provisioned (set up) using TIA Portal V13 while on firmware V4.5.0

Remotely exploitable over networkNo authentication required (bypass vulnerability)High CVSS score (8.1)Low complexity attack (once preconditions met)Affects critical control system devices

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC S7-1200 CPU family (incl. SIPLUS variants)V4.5.04.5.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIf you cannot update firmware immediately, update TIA Portal to version 13 SP1 or later before re-provisioning any S7-1200 devices

HARDENINGRestrict network access to S7-1200 PLCs using firewall rules; do not expose port 102 to untrusted networks or the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 firmware to version 4.5.1 or later

Long-term hardening

0/1

HARDENINGIsolate PLC networks from the business network using network segmentation and air-gapping where possible

CVEs (1)

CVE-2021-37172

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e56ce89a-4934-47fb-a588-1844036ab8bc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.