Siemens SIMATIC Industrial Products

Plan Patch7.9ICS-CERT ICSA-23-047-09Feb 14, 2023

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

This advisory addresses Intel-SA-00688 vulnerabilities that affect Siemens SIMATIC industrial products. The vulnerabilities stem from underlying Intel BIOS issues and require local code execution with elevated privileges to exploit. Siemens has released BIOS updates (2022.3 IPU) for most affected products. A successful attack allows an attacker to modify device firmware or system settings, potentially disrupting industrial processes. The SIMATIC ITP1000 is affected across all versions with no patch available from Siemens.

What this means

What could happen

An attacker with local access to a Siemens industrial PC or engineering workstation could execute untrusted code with high privileges, potentially modifying device firmware or process settings and disrupting manufacturing operations. The SIMATIC ITP1000 cannot be patched and remains at risk.

Who's at risk

Manufacturing facilities operating Siemens SIMATIC industrial PCs, engineering workstations, and field portable devices (Field PG models) that are used for process control, configuration, and diagnostics. This includes automotive, chemical, utilities, and discrete manufacturing sectors. The engineering workstations (Field PG M5, M6) and embedded industrial PCs (IPC427E through IPC847E series) are particularly critical as they directly control or configure production systems.

How it could be exploited

An attacker must first gain the ability to run untrusted code on the affected device—typically by executing a malicious file, application, or script on the engineering workstation or industrial PC. Once code execution is achieved with elevated privileges, the attacker can modify system settings or firmware, affecting the device's control logic or availability.

Prerequisites

Local access to the device (not remotely exploitable)
Ability to execute untrusted code on the device (e.g., via compromised USB, file share, or user action)
High privilege context (administrative or engineering credentials may be required depending on system configuration)

Requires local code execution (reduced remote risk but still a privilege escalation threat)No patch available for SIMATIC ITP1000 (all versions affected)Affects high-privilege operations (firmware/system configuration)Related to Intel BIOS vulnerabilities with potential for supply-chain propagation

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (14)

13 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC Field PG M5<V22.01.1122.01.11

SIMATIC ITP1000All versionsNo fix (EOL)

SIMATIC Field PG M6<V26.01.1126.01.11

SIMATIC IPC BX-39A<V29.01.0329.01.03

SIMATIC IPC PX-39A<V29.01.0329.01.03

SIMATIC IPC PX-39A PRO<V29.01.0329.01.03

SIMATIC IPC427E<V21.01.1921.01.19

SIMATIC IPC477E<V21.01.1921.01.19

Remediation & Mitigation

0/17

Do now

0/1

WORKAROUNDRestrict local code execution on affected devices by disabling USB auto-run, enforcing application whitelisting, and controlling file share access from untrusted networks

Schedule — requires maintenance window

0/13

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/3

SIMATIC ITP1000 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor SIMATIC ITP1000 (no patch available), implement additional host-level monitoring to detect unauthorized code execution and restrict physical access to the device

HARDENINGIsolate engineering workstations and industrial PCs from business networks using network segmentation and firewalls

HARDENINGImplement access controls to limit who can log into and execute code on industrial workstations and PCs

CVEs (1)

CVE-2022-21198

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close