Siemens SIMATIC RFID Readers

MonitorCVSS 6.5ICS-CERT ICSA-24-256-07Sep 10, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SIMATIC RFID Readers contain multiple vulnerabilities (CWE-912, CWE-200, CWE-703, CWE-284) that could allow an authenticated attacker with high-level credentials to cause denial-of-service, exploit hidden or undocumented functionality, and expose sensitive configuration information. The vulnerabilities affect multiple reader models across different regional compliance variants. An attacker could render the reader unresponsive, disrupting asset tracking operations, or extract sensitive data about tagged inventory. Siemens has released firmware updates addressing these issues.

What this means

What could happen

An attacker with high-level credentials could cause the RFID reader to become unresponsive (denial-of-service), access hidden functionality, or leak sensitive configuration information from inventory tracking operations.

Who's at risk

Water utilities, electric utilities, manufacturing facilities, and distribution centers using Siemens SIMATIC RFID readers for asset tracking, inventory management, or equipment identification. All SIMATIC RF and RFID Reader series models (RF610R, RF615R, RF650R, RF680R, RF685R, RF1140R, RF1170R, RF166C, RF185C, RF186C, RF186CI, RF188C, RF188CI, RF360R) across all regional variants (CMIIT, ETSI, FCC, ARIB) are affected.

How it could be exploited

An attacker must first gain high-level administrative privileges on the RFID reader (e.g., through compromised engineering workstation credentials or network infiltration). From there, they can send commands to the reader to trigger denial-of-service, exploit undocumented functions, or extract sensitive data about tagged items and system configuration.

Prerequisites

High-level (PR:H) administrative or engineering credentials on the RFID reader
Network access to the RFID reader on the management or administrative interface
Knowledge of or access to undocumented RFID reader commands or APIs

Remotely exploitable over networkRequires high-level administrative privileges to exploitLow complexity attackAffects inventory and asset tracking systemsNo patch available for all variants until firmware is updated

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (27)

27 with fix

ProductAffected VersionsFix Status

SIMATIC Reader RF680R CMIIT<V4.24.2

SIMATIC Reader RF680R ETSI<V4.24.2

SIMATIC Reader RF610R CMIIT<V4.24.2

SIMATIC Reader RF610R ETSI<V4.24.2

SIMATIC Reader RF610R FCC<V4.24.2

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to RFID readers using firewall rules; limit administrative connections to authorized engineering workstations only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SIMATIC Reader RF680R, RF610R, RF615R, RF650R, and RF685R models to firmware version 4.2 or later

HOTFIXUpdate SIMATIC RF1140R and RF1170R to firmware version 1.1 or later

HOTFIXUpdate SIMATIC RF166C, RF185C, RF186C, RF186CI, RF188C, RF188CI, and RF360R to firmware version 2.2 or later

Long-term hardening

0/3

HARDENINGIsolate RFID reader management interfaces from the business network and internet; place them behind firewalls in the industrial control zone

HARDENINGImplement network segmentation to prevent lateral movement if administrative credentials are compromised

HARDENINGUse VPN or other secure remote access methods if remote administration of RFID readers is required

CVEs (6)

CVE-2024-37990 CVE-2024-37991 CVE-2024-37992 CVE-2024-37993 CVE-2024-37994 CVE-2024-37995

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/03065d97-db17-49c7-b792-404ceb4140e8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.