Siemens S7-1500 CPU devices

MonitorCVSS 4.6ICS-CERT ICSA-23-012-08Jan 10, 2023

SiemensManufacturingTransportation

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Affected models of the S7-1500 CPU product family lack an Immutable Root of Trust in Hardware. The integrity of code executed on the device cannot be validated during boot. An attacker with physical access could replace the boot image and execute arbitrary code on the device. Siemens is releasing new hardware versions for several CPU types to fix this vulnerability and working on additional hardware versions for remaining PLC types. The vulnerability is hardware-level and cannot be patched via firmware update.

What this means

What could happen

An attacker with physical access to the PLC could inject malicious code that runs during boot, allowing them to alter control logic, modify setpoints, or disable safety functions without detection.

Who's at risk

Manufacturing facilities and transportation systems using S7-1500 series PLCs (CPU 1504D through CPU 1518 and ET 200pro variants, including SIPLUS hardened versions). This affects any facility relying on these controllers for process automation, safety systems, or critical equipment control.

How it could be exploited

An attacker with physical access to the device would open the enclosure, access the internal storage or boot interface, replace the boot image with a modified version, and restart the device. The device would execute the attacker's code without validation.

Prerequisites

Physical access to the device internals
Ability to modify or replace boot storage/firmware
Device must be powered on or restarted to execute injected code

no patch availablerequires physical access (lowers exploitability but increases impact if achieved)affects widespread PLC familyhardware vulnerability (cannot be fixed via firmware)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (71)

71 pending

ProductAffected VersionsFix Status

SIMATIC Drive Controller CPU 1504D TFAll versionsNo fix yet

SIMATIC Drive Controller CPU 1507D TFAll versionsNo fix yet

SIMATIC S7-1500 CPU 1510SP F-1 PNAll versionsNo fix yet

SIMATIC S7-1500 CPU 1510SP-1 PNAll versionsNo fix yet

SIMATIC S7-1500 CPU 1511-1 PNAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGAssess physical security risk: evaluate who has access to PLC enclosures and equipment locations in your plant

HARDENINGRestrict physical access to CPU hardware: implement locked enclosures, cable locks, tamper seals, or surveillance for devices in accessible areas

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan hardware replacement: for critical or accessible devices, work with Siemens to obtain and schedule replacement with new hardware versions that include hardware-based boot validation

Long-term hardening

0/1

HARDENINGSegment network access: configure firewalls and network controls to restrict engineering and maintenance access to programming ports; disable unnecessary network services on CPUs

CVEs (1)

CVE-2022-38773

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/caa4678d-1e41-4d1d-a486-c88c5c2a69ca

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.