Siemens SIMATIC and TIM
Monitor5.3ICS-CERT ICSA-21-257-23Aug 10, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Siemens SIMATIC PLCs and TIM industrial gateways allows an unauthenticated attacker to read PLC variables and process data without proper authentication. Affected products include the S7-1200 and S7-1500 CPU families, SIMATIC Drive Controller, ET 200SP Open Controller, SIMATIC S7 PLCSIM Advanced, and TIM 1531 IRC. The attack requires network access to the PLC but no valid credentials. Siemens has released firmware updates for most products; however, SIMATIC S7 PLCSIM Advanced (versions >2, <4) has no fix available.
What this means
What could happen
An attacker on your network can read sensitive variables and data stored in Siemens PLCs and controllers without needing credentials, potentially exposing process setpoints, sensor readings, or configuration details that could inform further attacks on production systems.
Who's at risk
Manufacturing facilities and utilities operating Siemens S7-1200, S7-1500, SIMATIC Drive Controllers, ET 200SP, TIM 1531 IRC, or SIMATIC S7 PLCSIM Advanced should assess risk. The vulnerability affects PLCs used in water treatment, power generation, chemical processing, and discrete manufacturing. TIM devices are commonly deployed in networked industrial systems for remote connectivity.
How it could be exploited
An attacker with network access to an affected PLC (typically port 102 for S7 communication) can send specially crafted requests to read PLC variables without authenticating. The attacker would use standard Siemens communication protocols to extract data from memory, bypassing the normal authorization checks.
Prerequisites
- Network access to the PLC on port 102 (S7 communication) or equivalent industrial protocol port
- PLC must be configured or in a state that allows variable access
- No credentials required
Remotely exploitable over networkNo authentication requiredLow complexity attackAffects confidentiality of control system dataHigh installed base of Siemens S7 products in critical infrastructureS7 PLCSIM Advanced has no fix available
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (7)
6 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC Drive Controller family<V2.9.22.9.2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)<V21.921.9
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)V4.44.4.1
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)>V2.5|<V2.9.22.9.2
SIMATIC S7-1500 Software Controller>V2.5|<V21.921.9
TIM 1531 IRC (incl. SIPLUS NET variants)V2.12.2
SIMATIC S7 PLCSIM Advanced>V2|<V4No fix (EOL)
Remediation & Mitigation
0/8
Do now
0/1HARDENINGRestrict network access to PLCs using firewall rules—only allow authorized engineering workstations and SCADA servers to communicate with port 102; block internet-facing access
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller family
HOTFIXUpdate SIMATIC Drive Controller family to version 2.9.2 or later
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 21.9 or later
All products
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 21.9 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family to version 4.4.1 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family to version 2.9.2 or later
HOTFIXUpdate TIM 1531 IRC to version 2.2 or later
Mitigations - no patch available
0/1SIMATIC S7 PLCSIM Advanced has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment control system network from corporate IT network using a firewall or air-gapped architecture
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c56ee620-e69a-4798-94be-dcc025d6adf8