Siemens SIMATIC IPCs
Monitor6.5ICS-CERT ICSA-23-257-05Sep 12, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Several Intel-CPU based SIMATIC IPCs are affected by CVE-2022-40982, an information disclosure vulnerability in Intel processors known as Gather Data Sampling (GDS) or Downfall Attacks. An authenticated local user could potentially read other users' data from the system memory. This is not remotely exploitable; it requires local access or a valid local account. Siemens has released firmware updates for most products. The SIMATIC IPC1047 is end-of-life and will not receive a fix.
What this means
What could happen
An authenticated local user with access to a SIMATIC IPC could read data belonging to other users on the same system by exploiting a CPU vulnerability, potentially exposing sensitive process data or engineering configurations. This affects systems using Intel CPUs vulnerable to Gather Data Sampling (GDS/Downfall) attacks.
Who's at risk
This vulnerability affects Siemens SIMATIC IPCs used in industrial control environments, including process control systems in manufacturing, water utilities, and power generation facilities. The affected devices are industrial PCs running on Intel CPUs and used for SCADA/HMI/supervisory control tasks. Organizations operating SIMATIC IPC BX-39A, PX-39A, RW-543A, 1047/1047E, 627E, 647E, 677E, or 847E systems, or Field PG M6 engineering workstations, should assess their exposure.
How it could be exploited
An attacker with a valid local user account on a SIMATIC IPC (e.g., an engineering account or service technician credentials) could execute code locally to read sensitive data from other users' memory or processes. The attacker does not need to be physically present if they have remote terminal access (RDP, SSH) to the device. Exploitation requires local execution—it is not remotely exploitable over the network.
Prerequisites
- Valid local user account on the SIMATIC IPC (engineering account, service account, or operator login)
- Local execution capability (physical access, remote terminal/RDP/SSH session, or ability to run code as that user)
- Target device must be running an Intel CPU vulnerable to GDS/Downfall (CVE-2022-40982)
- Device must be running an affected firmware version without the patch applied
Requires valid local user credentials—no unauthenticated remote attackLow attack complexity once credentials are obtainedInformation disclosure only—does not allow code execution, data modification, or denial of serviceNo patch available for SIMATIC IPC1047 (all versions)Affects sensitive process data and engineering configurationsCredentials may be compromised through social engineering, insider threats, or weak password practices in shared engineering environments
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (11)
10 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC Field PG M6<V26.01.1126.01.11
SIMATIC IPC BX-39A<V29.01.0429.01.04
SIMATIC IPC PX-39A<V29.01.0429.01.04
SIMATIC IPC PX-39A PRO<V29.01.0429.01.04
SIMATIC IPC RW-543A<V1.1.21.1.2
SIMATIC IPC1047E<V4.24.2
SIMATIC IPC627E<V25.02.1425.02.14
SIMATIC IPC647E<V25.02.1425.02.14
Remediation & Mitigation
0/14
Do now
0/3SIMATIC IPC1047
WORKAROUNDEnsure SIMATIC IPC1047 (all versions, no fix available) is isolated from untrusted networks and restrict local user access to trusted engineering/operations personnel only
All products
WORKAROUNDRestrict local user account creation to trusted personnel only; audit and remove unnecessary accounts from engineering and service roles
HARDENINGDisable or remove remote access capabilities (RDP, SSH) on SIMATIC IPCs unless absolutely required for operations; use VPN with strong authentication if remote access is necessary
Schedule — requires maintenance window
0/10Patching may require device reboot — plan for process interruption
SIMATIC Field PG M6
HOTFIXUpdate SIMATIC Field PG M6 to firmware version 26.01.11 or later
SIMATIC IPC BX-39A
HOTFIXUpdate SIMATIC IPC BX-39A to firmware version 29.01.04 or later
SIMATIC IPC PX-39A
HOTFIXUpdate SIMATIC IPC PX-39A to firmware version 29.01.04 or later
HOTFIXUpdate SIMATIC IPC PX-39A PRO to firmware version 29.01.04 or later
SIMATIC IPC RW-543A
HOTFIXUpdate SIMATIC IPC RW-543A to firmware version 1.1.2 or later
SIMATIC IPC1047E
HOTFIXUpdate SIMATIC IPC1047E to firmware version 4.2 or later
SIMATIC IPC627E
HOTFIXUpdate SIMATIC IPC627E to firmware version 25.02.14 or later
SIMATIC IPC647E
HOTFIXUpdate SIMATIC IPC647E to firmware version 25.02.14 or later
SIMATIC IPC677E
HOTFIXUpdate SIMATIC IPC677E to firmware version 25.02.14 or later
SIMATIC IPC847E
HOTFIXUpdate SIMATIC IPC847E to firmware version 25.02.14 or later
Mitigations - no patch available
0/1SIMATIC IPC1047 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate SIMATIC IPC devices from the business network; place devices behind firewalls that restrict inbound access to authorized management stations only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/03100a17-8809-49ef-803c-d457737b088f