Siemens SRCS VPN Feature in SIMATIC CP Devices
Act Now10ICS-CERT ICSA-22-195-12Jul 12, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in SRCS VPN feature of Siemens SIMATIC CP communication processor devices could allow an attacker to execute arbitrary code with elevated privileges. Affected products include SIMATIC CP 1242-7, CP 1243 series, CP 1542SP, CP 1543 series, and related SIPLUS variants across versions prior to specific patched releases. The SRCS VPN feature is not enabled by default but is commonly deployed for remote engineering and maintenance access. Exploitation requires network reachability to UDP port 5243 on the CP device.
What this means
What could happen
An attacker could execute arbitrary code with elevated privileges on SIMATIC CP communication processor devices when the SRCS VPN feature is enabled, potentially allowing them to intercept or manipulate communications between industrial equipment and remote engineering stations.
Who's at risk
Transportation, rail, and utility operators using Siemens SIMATIC CP communication processors for remote connectivity and engineering access. This affects automation systems that rely on CP 1242, CP 1243, CP 1542SP, CP 1543, and SIPLUS family devices for remote VPN connections. Water authorities and electric utilities using these processors for SCADA or field device communication are at risk.
How it could be exploited
An attacker with network access to a CP device with SRCS VPN enabled can send a specially crafted packet to port 5243/UDP to the device. If the device is configured to connect to a SINEMA Remote Connect Server, or if the attacker can intercept that communication path, they can exploit buffer overflow, code injection, or command injection vulnerabilities in the VPN feature to execute arbitrary code with elevated privileges.
Prerequisites
- Network access to port 5243/UDP on the CP device
- SRCS VPN feature must be enabled on the device
- The device must be reachable from the attacker's network (not isolated behind firewalls)
Remotely exploitable via UDP port 5243Critical CVSS score (10.0)Multiple vulnerability types (buffer overflow, code injection, command injection)Affects remote access and engineering connectivity pathsFeature not enabled by default but often deployed for remote support
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (15)
15 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1242-7 V2<V3.3.463.3.46
SIMATIC CP 1243-1<V3.3.463.3.46
SIMATIC CP 1243-7 LTE EU<V3.3.463.3.46
SIMATIC CP 1243-7 LTE US<V3.3.463.3.46
SIMATIC CP 1243-8 IRC<V3.3.463.3.46
SIMATIC CP 1542SP-1 IRC≥ V2.0 <V2.2.282.2.28
SIMATIC CP 1543-1<V3.0.223.0.22
SIMATIC CP 1543SP-1≥ V2.0 <V2.2.282.2.28
Remediation & Mitigation
0/7
Do now
0/3WORKAROUNDDisable the SRCS VPN feature if not actively required for operations
WORKAROUNDBlock access to port 5243/UDP at the edge firewall to prevent unauthorized attempts to reach the device
HARDENINGConfigure CP devices to only connect to trusted SINEMA Remote Connect Server instances using whitelisting if VPN feature must remain enabled
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SIMATIC CP 1242-7 V2
HOTFIXUpdate all SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-7 LTE, CP 1243-8 IRC, and SIPLUS S7-1200 CP 1243-1 devices to firmware version 3.3.46 or later
SIMATIC CP 1542SP-1 IRC
HOTFIXUpdate all SIMATIC CP 1542SP-1 IRC, CP 1543-1, CP 1543SP-1, and related SIPLUS ET 200SP products to their respective fixed versions (2.2.28 or 3.0.22)
Long-term hardening
0/2HARDENINGIsolate all CP communication processors and control system networks behind firewalls and segmented from business networks
HARDENINGImplement network segmentation and access controls to limit exposure of OT devices to untrusted networks
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fcd531aa-671c-481e-9029-a5bd66d35d06