Siemens LOGO! V8.3 BM Devices

Monitor4.6ICS-CERT ICSA-24-228-05Aug 13, 2024

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens LOGO! V8.3 BM devices (and SIPLUS variants) store user-set passwords in plaintext within an embedded storage IC. An attacker with physical access to the device can directly extract these credentials without authentication. Siemens has released fixed hardware versions (LOGO! V8.4 BM and SIPLUS LOGO! V8.4 BM) for all affected device models. No firmware update is available for existing V8.3 devices.

What this means

What could happen

An attacker with physical access to a LOGO! V8.3 BM device can extract plaintext passwords stored on the device, potentially allowing unauthorized access to the controller for configuration changes or process manipulation.

Who's at risk

Water authorities and electric utilities that use Siemens LOGO! V8.3 BM programmable logic controllers (PLCs) for process automation, including all RCE, RCEo, CE, and CEo variants, and their SIPLUS industrial-grade equivalents. These devices commonly control small to medium-scale processes like pump stations, water treatment, or electrical distribution substations.

How it could be exploited

An attacker with physical access to the device removes or directly accesses the embedded storage IC (integrated circuit) where user-set passwords are stored in plaintext, then extracts these credentials without requiring authentication or specialized knowledge.

Prerequisites

Physical access to the LOGO! device
Ability to access or remove the embedded storage IC component

Physical access required for exploitationNo patch available—hardware upgrade neededPlaintext password storageAffects all current V8.3 BM versions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

LOGO! 12/24RCEAll versionsNo fix (EOL)

LOGO! 12/24RCEoAll versionsNo fix (EOL)

SIPLUS LOGO! 12/24RCEAll versionsNo fix (EOL)

SIPLUS LOGO! 12/24RCEoAll versionsNo fix (EOL)

SIPLUS LOGO! 230RCEoAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical access to LOGO! devices through cabinet locks, enclosures, or secure mounting in controlled areas

HARDENINGImplement network access controls and firewall rules to limit connectivity to LOGO! devices to authorized engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to LOGO! V8.4 BM or SIPLUS LOGO! V8.4 BM hardware versions where the vulnerability is fixed

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: LOGO! 12/24RCE, LOGO! 12/24RCEo, SIPLUS LOGO! 12/24RCE, SIPLUS LOGO! 12/24RCEo, SIPLUS LOGO! 230RCEo, SIPLUS LOGO! 24RCEo, LOGO! 230RCE, LOGO! 230RCEo, SIPLUS LOGO! 230RCE, LOGO! 24CE, LOGO! 24CEo, SIPLUS LOGO! 24CE, SIPLUS LOGO! 24CEo, LOGO! 24RCE, LOGO! 24RCEo, SIPLUS LOGO! 24RCE. Apply the following compensating controls:

HARDENINGFollow Siemens operational guidelines for Industrial Security and configure the device environment according to product manuals

CVEs (1)

CVE-2024-39922

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7eca8a1c-8988-45f4-b5d8-660b9ac03cdb