Siemens SIMATIC MV500

Act Now9.8ICS-CERT ICSA-23-320-13Nov 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC MV500 before V3.3.5 is affected by multiple vulnerabilities including buffer overflow (CWE-120), null pointer dereference (CWE-476), improper authentication (CWE-287), improper input validation (CWE-1333), and out-of-bounds write (CWE-787). These flaws can be exploited remotely without authentication or user interaction. Siemens has released a patch in version 3.3.5.

What this means

What could happen

An attacker could remotely execute code on the SIMATIC MV500 module controller without credentials, allowing them to modify control logic, alter setpoints, or disable the device entirely and interrupt water/power operations. The system would operate under attacker control with no visibility to operators.

Who's at risk

Water and electrical utilities operating Siemens SIMATIC MV500 module controllers in their distributed control systems (DCS) or real-time process monitoring. This device is commonly found in infrastructure automation for pressure management, flow control, and power distribution. Any plant running MV500 firmware versions below 3.3.5 is affected.

How it could be exploited

An attacker on the network can send specially crafted input to the MV500 device to trigger buffer overflow or null pointer dereference flaws, bypassing all authentication checks. Once the device processes this malicious input, the attacker gains code execution with full system privileges and can execute arbitrary commands on the controller.

Prerequisites

Network access to the SIMATIC MV500 device over its operational port (typically Ethernet or serial-to-Ethernet gateway)
Device is running firmware version earlier than 3.3.5
No credentials or special configuration required

remotely exploitableno authentication requiredlow complexityhigh CVSS 9.8multiple code execution flaws

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC MV500 family<V3.3.53.3.5

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate SIMATIC MV500 devices from the internet and corporate network; place them behind firewalls with access restricted to authorized engineering workstations only

HARDENINGRestrict network access to MV500 devices to only required engineering and monitoring systems; disable unnecessary services and ports

WORKAROUNDIf remote access to MV500 is required, use a VPN and ensure the VPN is kept up to date with the latest security patches

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC MV500 to firmware version 3.3.5 or later

CVEs (8)

CVE-2022-23218 CVE-2022-23219 CVE-2022-44792 CVE-2022-44793 CVE-2023-2975 CVE-2023-3446 CVE-2023-3817 CVE-2023-35788

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fffc1281-76e9-4671-bf6c-5a4f6d488314