Siemens SIMATIC S7-1500 TM MFP BIOS

Act Now9.8ICS-CERT ICSA-23-166-10Jun 13, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the BIOS of the SIMATIC S7-1500 TM MFP module (firmware versions before 1.3.0). These include input validation flaws (CWE-20, CWE-125), memory corruption issues (buffer overflow CWE-787, use-after-free CWE-416), and improper access controls (CWE-276, CWE-363). The BIOS fails to properly validate incoming network requests, allowing remote code execution without authentication. The vulnerabilities are remotely exploitable with low complexity, and this module is actively used in operational technology environments.

What this means

What could happen

An unauthenticated attacker on the network could exploit multiple memory corruption and input validation flaws in the BIOS to execute arbitrary code, disabling the TM MFP module and interrupting any dependent automation or safety functions that rely on it.

Who's at risk

Water authorities and electric utilities using SIMATIC S7-1500 TM MFP modules in automation systems. This includes the TM (Terminal Modem) MFP communication module used for remote access, process monitoring, or backup control functions. Any facility with this module should prioritize this vulnerability.

How it could be exploited

An attacker on the network sends a crafted network request to the SIMATIC S7-1500 TM MFP BIOS (port and protocol not specified in advisory, but likely HTTP/HTTPS or management interface). The BIOS fails to validate input and suffers from buffer overflow and memory corruption flaws, allowing the attacker to execute code with BIOS-level privileges. This could disable or modify the module's operation.

Prerequisites

Network access to the SIMATIC S7-1500 TM MFP module
BIOS version earlier than 1.3.0
No authentication required

Actively exploited (KEV)Remotely exploitableNo authentication requiredLow attack complexityBIOS-level code execution possibleHigh EPSS score (59.4%)

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC S7-1500 TM MFP - BIOS<V1.3.01.3.0

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXUpdate SIMATIC S7-1500 TM MFP BIOS to version 1.3.0 or later

WORKAROUNDRestrict network access to the SIMATIC S7-1500 TM MFP using firewall rules or network segmentation

Long-term hardening

0/2

HARDENINGOnly build and run applications from trusted sources

HARDENINGImplement defense-in-depth network security per Siemens operational guidelines for industrial security

CVEs (72)

CVE-2016-10228 CVE-2019-25013 CVE-2020-1752 CVE-2020-10029 CVE-2020-27618 CVE-2020-29562 CVE-2021-3326 CVE-2021-3998 CVE-2021-3999 CVE-2021-20269 CVE-2021-27645 CVE-2021-28831 CVE-2021-33574 CVE-2021-35942 CVE-2021-38604 CVE-2021-42373 CVE-2021-42374 CVE-2021-42375 CVE-2021-42376 CVE-2021-42377 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42383 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2021-44879 CVE-2022-1015 CVE-2022-1882 CVE-2022-2585 CVE-2022-2588 CVE-2022-2905 CVE-2022-3028 CVE-2022-3435 CVE-2022-3586 CVE-2022-4378 CVE-2022-4662 CVE-2022-20421 CVE-2022-20422 CVE-2022-21233 CVE-2022-23218 CVE-2022-23219 CVE-2022-28391 CVE-2022-30065 CVE-2022-39188 CVE-2022-39190 CVE-2022-40307 CVE-2022-41222 CVE-2022-42703 CVE-2023-0179 CVE-2023-0394 CVE-2023-1073 CVE-2023-2898 CVE-2023-3390 CVE-2023-3610 CVE-2023-3611 CVE-2023-3776 CVE-2023-4004 CVE-2023-4015 CVE-2023-4128 CVE-2023-4147 CVE-2023-4273 CVE-2023-4527 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156 CVE-2023-31248 CVE-2023-35001 CVE-2023-45863

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/022c9584-8eb4-414c-8dfc-5de348868bd4