Siemens SIMATIC S7-1500 and S7-1200 CPUs
MonitorCVSS 4.7ICS-CERT ICSA-24-284-01Oct 8, 2024
SiemensManufacturingTransportation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
An open redirect vulnerability in the web server of SIMATIC S7-1500 and S7-1200 PLCs allows attackers to redirect users to attacker-controlled URLs when users click on crafted links. The vulnerability affects multiple hardware variants and software-based controllers across both product families.
What this means
What could happen
An attacker could trick users into visiting a malicious website by crafting a link that appears to come from your PLC. While this itself does not directly compromise the PLC, it could be used to harvest credentials or deploy malware on engineering workstations that interact with your control systems.
Who's at risk
Manufacturing and transportation facilities using Siemens SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs), including compact controllers, distributed I/O controllers (ET 200SP), drive controllers, and software-based controller variants. Any organization relying on these controllers for production automation, assembly, conveyor control, or other critical processes should assess their deployment.
How it could be exploited
An attacker crafts a phishing email or social media post containing a malicious link that appears to be from your PLC's web interface. When an engineer or operator clicks the link, the PLC redirects them to an attacker-controlled website that may harvest credentials, install malware, or gather information about your network. The attacker must trick the user into clicking the link; the PLC itself is not compromised by this vulnerability.
Prerequisites
- User must click on an attacker-crafted link
- Web access to the PLC's interface enabled (HTTP/HTTPS)
remotely exploitablelow complexityuser interaction required (click on link)affects industrial control systemsno patch available for Linux variant (V2)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (144)
143 with fix1 pending
ProductAffected VersionsFix Status
SIPLUS S7-1500 CPU 1511-1 PN TX RAIL< 2.9.82.9.8
SIPLUS S7-1500 CPU 1511F-1 PN< 2.9.82.9.8
SIPLUS S7-1500 CPU 1513-1 PN< 2.9.82.9.8
SIPLUS S7-1500 CPU 1513F-1 PN< 2.9.82.9.8
SIPLUS S7-1500 CPU 1515F-2 PN< 2.9.82.9.8
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDDisable or restrict web access to PLC interfaces to only authorized engineering workstations using firewall rules or network access controls
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.7.0 or later
HOTFIXUpdate SIMATIC S7-1500 CPUs to firmware version 2.9.8 or 3.1.4 or later depending on hardware variant
HOTFIXUpdate SIMATIC ET 200SP CPUs to firmware version 2.9.8 or 3.1.4 or later depending on hardware variant
HOTFIXUpdate SIMATIC Drive Controller CPUs to firmware version 3.1.4 or later
Long-term hardening
0/1HARDENINGProvide user awareness training to engineering and operations staff to avoid clicking links in unsolicited emails or messages
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/aef06bda-4562-44ca-aa38-f4a37e6f405dGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.