Siemens SIMATIC S7-1500 TM MFP Linux Kernel

Act Now9.8ICS-CERT ICSA-23-166-11Jun 13, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.0. These include memory corruption (CWE-190, CWE-787, CWE-121, CWE-119, CWE-120), authentication bypass (CWE-287, CWE-284), privilege escalation (CWE-863), insecure cryptographic practices (CWE-327, CWE-326), and improper input validation (CWE-20). The vulnerabilities allow remote code execution and system compromise without authentication. Siemens has released version 1.1 which corrects these issues.

What this means

What could happen

Multiple critical vulnerabilities in the Linux subsystem of SIMATIC S7-1500 TM MFP could allow an attacker to execute arbitrary code, modify system configurations, or disrupt operations on the controller. This device is actively being exploited in the wild.

Who's at risk

Organizations operating SIMATIC S7-1500 TM MFP controllers in water distribution, wastewater treatment, electrical generation, or other critical infrastructure should prioritize this immediately. The device manages critical process logic and safety functions; compromise could disrupt operations or affect public safety.

How it could be exploited

An attacker with network access to the SIMATIC S7-1500 TM MFP can send specially crafted requests to trigger memory corruption, authentication bypass, or privilege escalation flaws in the Linux kernel subsystem. Once exploited, the attacker gains full control to modify process logic, alter setpoints, or halt the controller entirely.

Prerequisites

Network access to the SIMATIC S7-1500 TM MFP
No authentication required for initial exploitation

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (88.5%)affects critical infrastructure control systems

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC S7-1500 TM MFP - GNU/Linux subsystem<V1.11.1

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXUpdate SIMATIC S7-1500 TM MFP GNU/Linux subsystem to version 1.1 or later

WORKAROUNDRestrict network access to the SIMATIC S7-1500 TM MFP using firewall rules, network segmentation, or air-gapping from untrusted networks

HARDENINGOnly deploy and run applications on the device from trusted, verified sources with proper code review and validation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network monitoring and intrusion detection to detect suspicious connection attempts to the device

CVEs (168)

CVE-2020-12762 CVE-2021-3759 CVE-2021-4037 CVE-2021-33655 CVE-2021-44879 CVE-2022-0171 CVE-2022-1012 CVE-2022-1015 CVE-2022-1184 CVE-2022-1292 CVE-2022-1343 CVE-2022-1434 CVE-2022-1462 CVE-2022-1473 CVE-2022-1679 CVE-2022-1852 CVE-2022-1882 CVE-2022-2068 CVE-2022-2078 CVE-2022-2097 CVE-2022-2153 CVE-2022-2274 CVE-2022-2327 CVE-2022-2503 CVE-2022-2586 CVE-2022-2588 CVE-2022-2602 CVE-2022-2663 CVE-2022-2905 CVE-2022-2959 CVE-2022-2978 CVE-2022-3028 CVE-2022-3104 CVE-2022-3115 CVE-2022-3169 CVE-2022-3303 CVE-2022-3521 CVE-2022-3524 CVE-2022-3534 CVE-2022-3545 CVE-2022-3564 CVE-2022-3565 CVE-2022-3586 CVE-2022-3594 CVE-2022-3606 CVE-2022-3621 CVE-2022-3625 CVE-2022-3628 CVE-2022-3629 CVE-2022-3633 CVE-2022-3635 CVE-2022-3646 CVE-2022-3649 CVE-2022-4095 CVE-2022-4129 CVE-2022-4139 CVE-2022-4269 CVE-2022-4304 CVE-2022-4450 CVE-2022-4662 CVE-2022-20421 CVE-2022-20422 CVE-2022-20566 CVE-2022-20572 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-21505 CVE-2022-26373 CVE-2022-32250 CVE-2022-32296 CVE-2022-34918 CVE-2022-36123 CVE-2022-36280 CVE-2022-36879 CVE-2022-36946 CVE-2022-39188 CVE-2022-39190 CVE-2022-40307 CVE-2022-40768 CVE-2022-41218 CVE-2022-41222 CVE-2022-41674 CVE-2022-41849 CVE-2022-41850 CVE-2022-42328 CVE-2022-42329 CVE-2022-42432 CVE-2022-42703 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-42895 CVE-2022-42896 CVE-2022-43750 CVE-2022-47518 CVE-2022-47520 CVE-2022-47929 CVE-2022-47946 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-0590 CVE-2023-1077 CVE-2023-1095 CVE-2023-1206 CVE-2023-2898 CVE-2023-3141 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3446 CVE-2023-3609 CVE-2023-3610 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3777 CVE-2023-4004 CVE-2023-4015 CVE-2023-4273 CVE-2023-4623 CVE-2023-4911 CVE-2023-4921 CVE-2023-5178 CVE-2023-5197 CVE-2023-5678 CVE-2023-5717 CVE-2023-6606 CVE-2023-6931 CVE-2023-6932 CVE-2023-7008 CVE-2023-7104 CVE-2023-23454 CVE-2023-23455 CVE-2023-23559 CVE-2023-26607 CVE-2023-31085 CVE-2023-31436 CVE-2023-32233 CVE-2023-35001 CVE-2023-35827 CVE-2023-36660 CVE-2023-37453 CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-42753 CVE-2023-42754 CVE-2023-42755 CVE-2023-45863 CVE-2023-45871 CVE-2023-48795 CVE-2023-50495 CVE-2023-51384 CVE-2023-51385 CVE-2023-51767 CVE-2024-0232 CVE-2024-0553 CVE-2024-0567 CVE-2024-0584 CVE-2024-0684 CVE-2024-22365 CVE-2024-25062

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c0cc03e2-d4ca-4ff2-a9a6-4592a1fd5887