Siemens SIMATIC S7-1500 and S7-1200 CPUs
Monitor4.7ICS-CERT ICSA-24-284-01Oct 8, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Open redirect vulnerability in the web server of SIMATIC S7-1200 and S7-1500 CPU families, including SIPLUS variants, Drive Controllers, ET 200SP CPUs, Open Controller variants, and S7-1500 Software Controllers. An attacker can craft a malicious URL that causes the device's web server to redirect a legitimate user to an attacker-chosen website. This could be used in phishing attacks to capture credentials or deliver malware. The vulnerability is CWE-601 and requires user interaction to be exploited. Siemens has released firmware updates for most affected products. For products without fixes or not yet patched, Siemens recommends following general network security practices and not clicking links from unknown sources.
What this means
What could happen
An attacker could craft a malicious link that redirects users of the device's web interface to an attacker-controlled site, potentially capturing credentials or spreading malware. The attack requires user interaction—a legitimate operator must click the malicious link.
Who's at risk
Manufacturing and transportation operators using Siemens SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs), Drive Controllers, ET 200SP distributed I/O modules, and S7-1500 software controllers should assess their deployment. The vulnerability affects the web-based interface used by engineers and operators to monitor or configure process logic, I/O, and safety parameters.
How it could be exploited
An attacker crafts a specially formatted URL that exploits an open redirect vulnerability in the CPU's web server. The attacker then tricks a legitimate user (plant operator or engineer) into clicking the link, typically via email or social engineering. The web server redirects the user to an attacker-chosen URL without validation, which could harvest credentials or deliver malware.
Prerequisites
- Network access to the CPU's web interface (HTTP/HTTPS)
- User must actively click an attacker-crafted link
- No authentication required to trigger the redirect
Remotely exploitableNo authentication required for redirectLow attack complexityAffects commonly deployed PLCsRequires user interaction (social engineering component)No patch available for some variants (S7-1500 Software Controller Linux V2)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (144)
143 with fix1 pending
ProductAffected VersionsFix Status
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL< 2.9.82.9.8
SIPLUS S7-1500 CPU 1511F-1 PN< 2.9.82.9.8
SIPLUS S7-1500 CPU 1513-1 PN< 2.9.82.9.8
SIPLUS S7-1500 CPU 1513F-1 PN< 2.9.82.9.8
SIPLUS S7-1500 CPU 1515F-2 PN< 2.9.82.9.8
Remediation & Mitigation
0/11
Do now
0/1WORKAROUNDDo not click links from unknown or untrusted sources, especially in email
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 7.0 or later
All products
HOTFIXUpdate SIMATIC Drive Controller CPU to version 3.1.4 or later
HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.7.0 or later
HOTFIXUpdate SIMATIC S7-1500 CPUs to firmware version 2.9.8 or version 3.1.4 or later (depending on model)
HOTFIXUpdate SIMATIC ET 200SP CPUs to firmware version 2.9.8 or version 3.1.4 or later (depending on model)
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 21.9.8 (V2) or version 31.1.4 (V3) or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 21.9.8 (Windows OS V2) or version 31.1.4 (V3) or later
Long-term hardening
0/3HARDENINGRestrict network access to CPU web interfaces using firewall rules; block unauthorized users from reaching the device's HTTP/HTTPS ports
HARDENINGIsolate control system networks from the business network and internet
HARDENINGUse VPN for any required remote access to engineering workstations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/aef06bda-4562-44ca-aa38-f4a37e6f405d