Siemens SIMATIC and SIPLUS
Act Now9.8ICS-CERT ICSA-24-165-10Jun 11, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and equivalent SIPLUS ET 200SP modules before firmware version V2.3 contain multiple critical vulnerabilities in third-party components and the integrated web server. The vulnerabilities include improper buffer handling, insecure cryptographic practices, race conditions, unsafe deserialization, integer overflows, null pointer dereferences, and inadequate input validation. These allow remote code execution without credentials. Siemens has released firmware V2.3 with fixes for all affected products.
What this means
What could happen
Attackers could remotely execute arbitrary code on SIMATIC communication modules without authentication, potentially allowing them to alter process settings, interrupt water or power distribution operations, or gain control of critical network infrastructure.
Who's at risk
This affects water authorities and utilities operating Siemens SIMATIC CP 1542SP-1 or CP 1543SP-1 communication modules, and equivalent SIPLUS industrial modules used in field automation, remote telemetry units (RTUs), or programmable logic controller (PLC) networks. These devices are critical for remote monitoring and control of pumps, valves, substations, and distribution operations. Transportation systems using these modules are also affected.
How it could be exploited
An attacker on the network (or internet if the device is exposed) sends a specially crafted request to the integrated web server running on the SIMATIC CP module. The request exploits one or more of the underlying weaknesses (buffer overflows, insecure deserialization, missing input validation) to execute commands directly on the module, bypassing all authentication mechanisms.
Prerequisites
- Network reachability to the SIMATIC CP module (typically port 80/443 for the web server, or port 102 for S7 protocol)
- No authentication required—the vulnerability can be exploited by any network-adjacent attacker
- The device must be running firmware version below V2.3
remotely exploitable without authenticationno network access restriction requiredlow complexity attackhigh EPSS score (88.5% probability of exploitation)affects safety-critical control system componentsaffects both mainland and SIPLUS hardened variants
Exploitability
High exploit probability (EPSS 88.5%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1542SP-1<V2.32.3
SIMATIC CP 1542SP-1 IRC<V2.32.3
SIMATIC CP 1543SP-1<V2.32.3
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL<V2.32.3
SIPLUS ET 200SP CP 1543SP-1 ISEC<V2.32.3
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL<V2.32.3
Remediation & Mitigation
0/4
Do now
0/2SIMATIC CP 1542SP-1
HOTFIXUpdate all SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and equivalent SIPLUS ET 200SP modules to firmware version V2.3 or later
All products
WORKAROUNDRestrict network access to the SIMATIC CP modules using firewall rules—allow only trusted engineering workstations and control system network traffic; deny any internet-facing access
Long-term hardening
0/2HARDENINGIf remote access is required, implement a VPN (Virtual Private Network) with strong authentication and keep it updated to the latest version
HARDENINGIsolate the SIMATIC CP modules and associated control system networks from business networks and the internet using network segmentation
CVEs (23)
CVE-2022-2097CVE-2022-3435CVE-2022-3545CVE-2022-3623CVE-2022-3643CVE-2022-4304CVE-2022-4450CVE-2022-40303CVE-2022-40304CVE-2022-42328CVE-2022-42329CVE-2022-44792CVE-2022-44793CVE-2023-0215CVE-2023-0286CVE-2023-0464CVE-2023-0465CVE-2023-0466CVE-2023-28484CVE-2023-29469CVE-2023-38380CVE-2023-41910CVE-2023-50763
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b2f9b6e9-f6cf-4627-a3bf-1e4ff0bd2386