Siemens SIMATIC MV500 Devices

Act NowCVSS 9.8ICS-CERT ICSA-23-194-04Jul 11, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC MV500 devices before V3.3.4 contain multiple vulnerabilities in the web server and third-party components, including buffer overflows (CWE-120, CWE-787), improper input validation (CWE-20), weak cryptography (CWE-326), and resource exhaustion issues (CWE-770, CWE-400). These weaknesses could allow an unauthenticated attacker with network access to remotely execute arbitrary code, access sensitive information, or cause denial of service. The vulnerabilities affect all six MV500 model variants (MV540 H/S, MV550 H/S, MV560 U/X) in versions prior to 3.3.4.

What this means

What could happen

An attacker with network access could exploit multiple vulnerabilities in the web server and third-party components to execute arbitrary code, read sensitive data, or disable the MV500 device, potentially disrupting critical control logic in substations or generation facilities.

Who's at risk

Owners and operators of Siemens SIMATIC MV500 series voltage/power measurement and control devices, particularly in electrical utilities, substations, and generation facilities. This includes the MV540 H/S, MV550 H/S, and MV560 U/X models used for power distribution monitoring and control.

How it could be exploited

An attacker could send specially crafted network requests to the web server interface of an unpatched MV500 device. The combination of vulnerabilities (including buffer overflows, improper input validation, and weak cryptography) would allow remote code execution without authentication, giving the attacker full control over device operations.

Prerequisites

Network access to the MV500 device's web server interface (typically port 80/443)
Device must be running firmware version prior to V3.3.4
No authentication required to trigger most vulnerabilities

remotely exploitableno authentication requiredlow complexityhigh EPSS score (92.5%)affects control systemsmultiple vulnerabilities in web server

Exploitability

Likely to be exploited — EPSS score 92.8%

Public Proof-of-Concept (PoC) on GitHub (7 repositories)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SIMATIC MV540 H (6GF3540-0GE10)<V3.3.43.3.4

SIMATIC MV540 S (6GF3540-0CD10)<V3.3.43.3.4

SIMATIC MV550 H (6GF3550-0GE10)<V3.3.43.3.4

SIMATIC MV550 S (6GF3550-0CD10)<V3.3.43.3.4

SIMATIC MV560 U (6GF3560-0LE10)<V3.3.43.3.4

SIMATIC MV560 X (6GF3560-0HE10)<V3.3.43.3.4

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to MV500 web server interfaces using firewall rules; limit to engineering workstations and authorized management networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SIMATIC MV500 series devices to firmware version 3.3.4 or later

Long-term hardening

0/1

HARDENINGSegment MV500 devices onto a protected industrial network separate from general IT networks; implement defense-in-depth with multiple security layers

CVEs (13)

CVE-2022-4450 CVE-2023-0215 CVE-2022-37434 CVE-2021-46828 CVE-2022-1012 CVE-2022-4304 CVE-2022-30767 CVE-2022-36946 CVE-2022-48285 CVE-2023-0286 CVE-2023-35920 CVE-2023-35921 CVE-2023-36521

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c3b8ffca-def3-43e7-bcf4-c07d4c137b08

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.