Siemens Industrial PCs and CNC devices

Monitor7.8ICS-CERT ICSA-22-132-05May 11, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens Industrial PCs, Field Programming devices, Drive Controllers, and SINUMERIK CNC controllers are affected by a set of Intel firmware and chipset vulnerabilities published in November 2020. These include vulnerabilities in Intel CSME (Converged Security and Management Engine), BIOS, RAPL (Running Average Power Limit) interface, and processor microcode. The vulnerabilities allow local privilege escalation and arbitrary code execution at the firmware level. Affected products include SIMATIC Field PG M5/M6, SIMATIC IPC127E/IPC427E/IPC477E/IPC527G/IPC547G/IPC627E/IPC647E/IPC677E/IPC847E/ITP1000, SIMATIC Drive Controller family, SIMATIC ET 200SP Open Controller CPU 1515SP PC2, and SINUMERIK machine controllers (828D HW PU.4, MC MCU 1720, NCU 1740, PPU 1740). Exploitation requires local code execution capability on the device; these are not remotely exploitable.

What this means

What could happen

An attacker with local access to an Industrial PC or CNC device could execute arbitrary code with elevated privileges, potentially altering process settings, stopping manufacturing operations, or corrupting machine control firmware. These are firmware and chipset vulnerabilities that affect the system at a deep level, below the operating system.

Who's at risk

Manufacturing facilities using Siemens SIMATIC Industrial PCs (IPC127E, IPC427E, IPC477E, IPC527G, IPC547G, IPC627E, IPC647E, IPC677E, IPC847E, ITP1000), Field Programming devices (Field PG M5, M6), Drive Controllers, and SINUMERIK CNC machine controllers (828D, MCU 1720, NCU 1740, PPU 1740) that execute machining, process control, or automation logic. These devices are critical to production operations in discrete manufacturing and machine tool environments.

How it could be exploited

An attacker with physical or local network access can exploit these Intel chipset/firmware vulnerabilities (CSME, BIOS, RAPL interface, processor) to execute untrusted code at the firmware level. The vulnerabilities require local code execution capability but no authentication, allowing code running on the system to escalate privileges and compromise the machine controller or IPC without operator intervention.

Prerequisites

Local access to the device (physical console, remote desktop, or local network access)
Ability to run untrusted code on the system (e.g., via software installation, USB media, or compromised application)
No authentication bypass required once local access is established

Low local complexity exploitationNo authentication required for privilege escalationAffects firmware layer (BIOS, CSME, chipset)Impacts multiple product families with widespread deploymentNo public exploits currently knownPatches available but require maintenance windows

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (20)

20 pending

ProductAffected VersionsFix Status

SIMATIC Field PG M6<V26.01.08No fix yet

SIMATIC IPC527G<BIOS V1.4.0No fix yet

SIMATIC IPC547G<R1.30.0No fix yet

SIMATIC IPC627E<BIOS V25.02.08No fix yet

SIMATIC IPC647E<BIOS V25.02.08No fix yet

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDImplement network access controls and firewall rules to restrict local network access to Industrial PCs and CNC control devices to authorized engineering workstations and maintenance personnel only

WORKAROUNDDisable or restrict USB media and removable device usage on Industrial PCs and CNC controllers unless required for maintenance

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC Drive Controller family

HOTFIXUpdate SIMATIC Drive Controller family to BIOS v05.00.01.00 (coordinate with Siemens account manager for download)

All products

HOTFIXUpdate SIMATIC IPC and Field PG devices to specified BIOS versions (v21.01.15, v22.01.08, v23.01.08, v25.02.08, v26.01.08, v27.01.05, v1.4.0, R1.30.0 depending on model)

HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to BIOS v0209_0105 or later

HOTFIXUpdate SINUMERIK CNC devices (828D HW PU.4, MC MCU 1720, NCU 1740, PPU 1740) to specified BIOS versions (coordinate with Siemens for software download)

Long-term hardening

0/2

HARDENINGImplement defense-in-depth security controls to limit the ability for untrusted code to execute on the system (code signing verification, application whitelisting, trusted execution environments)

HARDENINGSegment Industrial PCs and CNC devices into a protected network with restricted access from the engineering network and external systems

CVEs (4)

CVE-2020-0590 CVE-2020-8694 CVE-2020-8698 CVE-2020-8745

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7782569f-ee68-4513-aa3b-13388fec577b