Siemens SIMATIC S7-400

Plan Patch7.5ICS-CERT ICSA-22-104-12Apr 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC S7-400 and S7-410 CPU devices contain an input validation flaw (CWE-119) that allows an attacker to send a malformed packet to port 102 and crash the device, triggering a Denial-of-Service condition. The affected devices stop responding to commands and require manual restart to restore operations. Siemens has released firmware updates for some S7-400 H V6 and S7-410 families, but many S7-400 PN/DP V7 models (including 416F-2, 416F-3, 417-4, 412-1, 412-2, 414-2, 414-3, 416-2, 416-3 DP variants, and certain SIPLUS models) will not receive patches and must be protected by network controls. The vulnerability is not currently known to be exploited in the wild, but the attack vector is straightforward and requires no credentials.

What this means

What could happen

An attacker with network access to port 102 could send a malformed packet to a SIMATIC S7-400 or S7-410 CPU, causing the device to crash and stop responding; a manual restart is required to restore normal operation.

Who's at risk

Water and electric utilities running SIMATIC S7-400 or S7-410 CPUs that are networked. This includes both the main PN/DP process control devices and the hardened H-series variants. Many sites have S7-400 CPUs controlling critical water treatment, pump stations, or power distribution logic. Approximately half of the affected product models have no patch available, making network isolation critical for those installations.

How it could be exploited

An attacker on the network sends a specially crafted packet to port 102 (TCP) on the PLC. The vulnerability in the input validation code fails to check the packet contents properly, causing the CPU to crash. The attacker does not need valid credentials or any special authentication.

Prerequisites

Network access to port 102 (TCP)
No authentication required
SIMATIC S7-400 or S7-410 device must be running a vulnerable firmware version

remotely exploitableno authentication requiredlow complexityaffects critical PLC platformsno patch available for multiple product lines

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (20)

10 with fix10 EOL

ProductAffected VersionsFix Status

SIMATIC S7-400 CPU 416-3 PN/DP V7< V7.0.37.0.3

SIMATIC S7-400 CPU 416F-3 PN/DP V7< V7.0.37.0.3

SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants)< V6.0.106.0.10

SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants)< V10.110.1

SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants)< V8.2.38.2.3

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDFor SIMATIC S7-400 PN/DP V7 models with no available patch, restrict access to port 102 (TCP) using firewall rules to trusted engineering and maintenance systems only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-400 H V6 CPU family (including SIPLUS variants) to version 6.0.10 or later

HOTFIXUpdate SIMATIC S7-410 V10 CPU family (including SIPLUS variants) to version 10.1 or later

HOTFIXUpdate SIMATIC S7-410 V8 CPU family (including SIPLUS variants) to version 8.2.3 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC S7-400 CPU 416F-2 DP V7, SIMATIC S7-400 CPU 417-4 DP V7, SIPLUS S7-400 CPU 416-3 V7, SIPLUS S7-400 CPU 417-4 V7, SIMATIC S7-400 CPU 412-1 DP V7, SIMATIC S7-400 CPU 412-2 DP V7, SIMATIC S7-400 CPU 414-2 DP V7, SIMATIC S7-400 CPU 414-3 DP V7, SIMATIC S7-400 CPU 416-2 DP V7, SIMATIC S7-400 CPU 416-3 DP V7. Apply the following compensating controls:

HARDENINGSegment the PLC network from the business network using a firewall; ensure SIMATIC devices are not accessible from the Internet or untrusted networks

CVEs (1)

CVE-2021-40368

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/15b4ed6c-2d97-4674-a95f-b5ad27257110