Siemens SIMATIC MV500 Devices

Plan Patch8ICS-CERT ICSA-22-195-03Jul 12, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

SIMATIC MV500 devices before firmware version 3.3 contain two vulnerabilities: CVE-2022-33137 allows attackers to hijack authenticated web management sessions, and CVE-2022-33138 allows unauthenticated access to device data. Both vulnerabilities require network access to the device's web management interface. Siemens has released firmware v3.3 addressing these issues and additional vulnerabilities documented in SSA-712929.

What this means

What could happen

An attacker with network access could hijack legitimate user sessions on the web management interface or access device data without authentication, potentially allowing unauthorized changes to device configuration or settings.

Who's at risk

Siemens SIMATIC MV500 series devices (MV540 H/S, MV550 H/S, MV560 U/X) used in power distribution, building automation, and utility operations for substation monitoring and control.

How it could be exploited

An attacker on the network could intercept and hijack an authenticated user's web session (CVE-2022-33137) without needing valid credentials, or directly access sensitive data by exploiting missing authentication controls (CVE-2022-33138). This requires the device to be reachable from the attacker's network location.

Prerequisites

Network access to the device's web management interface (typically port 443/HTTPS)
For session hijacking: an authenticated user must be actively using the management interface
Device running firmware version prior to 3.3

Remotely exploitable over networkLow complexity attack (session hijacking or direct data access)Affects web management access—could allow unauthorized configuration changesRequires network access but one vulnerability requires no authentication (CVE-2022-33138)

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SIMATIC MV540 H<V3.33.3

SIMATIC MV540 S<V3.33.3

SIMATIC MV550 H<V3.33.3

SIMATIC MV550 S<V3.33.3

SIMATIC MV560 U<V3.33.3

SIMATIC MV560 X<V3.33.3

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the device's web management interface using firewall rules or network segmentation (allow only from authorized engineering workstations or control network subnets)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIMATIC MV540 H

HOTFIXUpdate SIMATIC MV540 H, MV540 S, MV550 H, MV550 S, MV560 U, and MV560 X devices to firmware version 3.3 or later

Long-term hardening

0/1

HARDENINGConfigure the MV500 device environment according to Siemens Operational Guidelines for Industrial Security, including implementing defense-in-depth network controls and limiting physical/network access to authorized personnel only

CVEs (2)

CVE-2022-33137 CVE-2022-33138

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/193e1e50-7496-4b4d-8863-4de2f15bbca9