Siemens Web Server Login Page of Industrial Controllers
Monitor6.5ICS-CERT ICSA-22-314-02Nov 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
The web server login page of affected SIMATIC and SINUMERIK industrial controllers does not properly check the origin of requests. This allows attackers to craft requests (e.g., via malicious links or embedded page content) that trick authenticated users into performing unintended actions on the controller's web interface. This is a cross-site request forgery (CSRF) vulnerability in the login page itself.
What this means
What could happen
An attacker can trick an authenticated engineer or operator into unintentionally modifying controller settings, disabling alarms, or viewing sensitive configuration details via a malicious link, potentially affecting plant operations or exposing system design information.
Who's at risk
Manufacturing and transportation sectors using Siemens industrial controllers should prioritize this. Affected devices include SIMATIC S7-300, S7-400, S7-1200, S7-1500, Drive Controller CPUs, ET 200 series I/O modules with CPUs, SIMATIC PC Station, WinCC Runtime Advanced, SINUMERIK ONE, and SIPLUS variants. Any facility relying on these PLCs for process control (chemical plants, motor control, process automation, CNC machines) should assess their exposure.
How it could be exploited
An attacker crafts a malicious link or web page that triggers an unintended request to the controller's web server. When an authenticated user (engineer, operator) clicks the link or visits the attacker's page, their browser sends a request to the controller using their active session. Because the controller does not verify the request's origin, the attacker's command is processed as if the user authorized it.
Prerequisites
- Attacker can reach the controller's web server from the network (HTTP/HTTPS port, typically 80/443)
- A legitimate user must be actively logged into the controller's web interface
- Attacker can deliver a malicious link or web page to the authenticated user (phishing, compromised website, email)
Remotely exploitable via web interfaceNo authentication required for the attacker (only the victim needs to be logged in)Low attack complexity (trivial to craft a malicious link)Requires user interaction (victim must click link or visit attacker's page)Multiple products have no patches available (end-of-life or no vendor fix planned)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (121)
99 with fix22 pending
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TF<V2.9.72.9.7
SIMATIC Drive Controller CPU 1507D TF<V2.9.72.9.7
SIMATIC ET 200pro IM154-8 PN/DP CPU<V3.2.193.2.19
SIMATIC ET 200pro IM154-8F PN/DP CPU<V3.2.193.2.19
SIMATIC ET 200pro IM154-8FX PN/DP CPU<V3.2.193.2.19
Remediation & Mitigation
0/5
Do now
0/2SIMATIC PC Station
WORKAROUNDFor SIMATIC PC Station, SIMATIC S7-400 PN/DP V6/V7, and other S7-1500/S7-400 models with no fix available: disable the web server functionality to eliminate the attack surface
All products
HARDENINGRestrict web server access to the controller using firewall rules; only allow connections from known engineering workstations or restricted IP ranges on the controller's HTTP/HTTPS port
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC S7-1500 CPU family (all variants), ET 200pro/ET 200S CPUs, S7-300 CPUs, Drive Controller CPUs, and S7-PLCSIM Advanced to their patched versions (V3.0.1, V3.2.19, V3.3.19, V2.9.7, or V5.0 as specified for each product)
Long-term hardening
0/2HARDENINGEducate operators and engineers not to click links from untrusted sources that reference the controller's web interface; treat such requests as phishing attempts
HARDENINGSegment the controller network from the corporate network to prevent direct internet-to-controller access and reduce the reach of phishing campaigns targeting operators
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fec32a2a-b4e1-484f-8163-b8e69900b732