Siemens SIMOTICS CONNECT 400

Plan Patch8.2ICS-CERT ICSA-22-069-02Mar 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the Nucleus RTOS (NUCLEUS:13) affect SIMOTICS CONNECT 400 IoT gateway devices. These flaws allow remote code execution or denial of service due to insufficient input validation in the RTOS kernel. The vulnerabilities stem from type confusion (CWE-843), unsafe type casting (CWE-1284), integer underflow (CWE-191), and improper input validation (CWE-240). Siemens has released firmware updates to address these issues.

What this means

What could happen

An attacker with network access to a SIMOTICS CONNECT 400 device could execute code remotely or cause a denial of service, potentially interrupting monitoring and control of motor operations or connected industrial processes.

Who's at risk

Organizations operating Siemens SIMOTICS CONNECT 400 devices—commonly used for remote motor monitoring and IoT connectivity in manufacturing, water/wastewater treatment, and electric utilities—should prioritize patching these devices. The vulnerability affects both V0.5.x and V1.0.x firmware tracks.

How it could be exploited

An attacker on the network sends a crafted message or request to the SIMOTICS CONNECT 400 device. The device's Nucleus RTOS processes the malformed input without proper validation, allowing the attacker to either run arbitrary code on the device or crash it, disrupting operation.

Prerequisites

Network access to the SIMOTICS CONNECT 400 device (default industrial protocols)
No authentication or credentials required

Remotely exploitableNo authentication requiredLow attack complexityAffects availability (denial of service) and confidentiality (code execution)Default industrial network exposure

Exploitability

Moderate exploit probability (EPSS 2.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SIMOTICS CONNECT 400<V0.5.0.00.5.0.0

SIMOTICS CONNECT 400<V1.0.0.01.0.0.0

Remediation & Mitigation

0/5

Do now

0/1

SIMOTICS CONNECT 400

WORKAROUNDRestrict network access to SIMOTICS CONNECT 400 devices using firewall rules; only allow traffic from authorized engineering workstations and control systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SIMOTICS CONNECT 400

HOTFIXUpdate SIMOTICS CONNECT 400 to firmware version 0.5.0.0 or later if currently running version below 0.5.0.0

HOTFIXUpdate SIMOTICS CONNECT 400 to firmware version 1.0.0.0 or later if currently running version below 1.0.0.0

Long-term hardening

0/2

SIMOTICS CONNECT 400

HARDENINGSegment industrial network containing SIMOTICS CONNECT 400 from the business network using firewalls or airgaps

All products

HARDENINGIf remote access to the device is required, use a VPN with current security patches and strong authentication

CVEs (4)

CVE-2021-31344 CVE-2021-31346 CVE-2021-31889 CVE-2021-31890

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8e63863d-c5f9-413f-b0c9-d8f4611222ed