Siemens Simantic S7-1500 CPU family
Plan Patch7.5ICS-CERT ICSA-23-348-09Dec 12, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A use-after-free vulnerability (CWE-416) exists in the SIMATIC S7-1500 CPU family and related Siemens products. An attacker with network access to port 102/TCP can send a specially crafted packet that triggers improper memory handling in the affected device, causing the CPU to stop responding. The vulnerability affects dozens of S7-1500 CPU variants, Drive Controllers, ET 200 controllers, and Software Controller instances.
What this means
What could happen
An attacker can cause your PLC to crash and stop processing, halting all logic execution and control of attached machinery or processes. Recovery requires manual restart of the affected CPU.
Who's at risk
Manufacturing and transportation facilities that use Siemens S7-1500 PLC controllers. This includes any site running SIMATIC S7-1500 CPUs (all variants from 1510 to 1518 series), ET 200 controllers, Drive Controllers, or Siemens SIPLUS ruggedized variants in machinery control, process automation, or safety systems.
How it could be exploited
An attacker on your network (or with network access to the PLC) sends a malformed packet to port 102/TCP (the S7 communication port). The packet triggers a use-after-free condition in the firmware, causing the CPU to crash. No credentials or configuration knowledge is required.
Prerequisites
- Network access to port 102/TCP on the affected S7-1500 CPU or related device
- No credentials or authentication required
remotely exploitableno authentication requiredlow complexityaffects industrial control logicno patch available for many variants
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (98)
48 with fix50 pending
ProductAffected VersionsFix Status
SIMATIC S7-1500 CPU 1512SP-1 PNAll versionsNo fix yet
SIMATIC S7-1500 CPU 1512SP-1 PN<V3.1.03.1.0
SIMATIC S7-1500 CPU 1513-1 PNAll versionsNo fix yet
SIMATIC S7-1500 CPU 1513-1 PN<V3.1.03.1.0
SIMATIC S7-1500 CPU 1513F-1 PNAll versionsNo fix yet
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDRestrict network access to port 102/TCP on all S7-1500 CPUs, ET 200 controllers, and Drive Controllers to only trusted engineering workstations and HMI systems; use firewall rules or network segmentation to block unauthorized access
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller CPU 1504D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1504D TF and 1507D TF to firmware version 3.1.0 or later
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 and SIMATIC S7-1500 Software Controller to firmware version 30.1.0 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 6.0 or later
All products
HOTFIXUpdate SIMATIC S7-1500 CPUs (1510SP, 1511, 1512, 1513, 1514SP, 1515, 1516, 1517, 1518 series) to firmware version 3.1.0 or later; CPUs 1513R-1, 1515R-2, 1517H-3, 1518HF-4 to version 3.1.2 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate S7-1500 CPUs and related controllers on a separate VLAN with restricted access to port 102/TCP
HARDENINGMonitor for unexpected S7 protocol traffic on port 102/TCP to detect potential attack attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ce32b360-ebea-412f-806b-f83a7d44f435