Siemens SIMATIC S7-1500 CPUs

Monitor5.3ICS-CERT ICSA-24-284-10Oct 8, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An authentication bypass vulnerability in Siemens SIMATIC S7-1500 CPUs and related devices (SIMATIC Drive Controller, SIMATIC ET 200SP, SIMATIC S7-1500 Software Controller, and SIPLUS variants) allows an unauthenticated remote attacker to discover actual and configured maximum cycle times and communication load of affected CPUs. The vulnerability affects firmware versions below 2.9.8 or 3.1.4 depending on the product model, and also affects certain S7-1500 Software Controller Linux versions where no fix is available. The issue stems from insufficient authentication checks (CWE-288) on diagnostic or monitoring interfaces accessible over the network.

What this means

What could happen

An attacker on your network could learn the operating characteristics of your S7-1500 controllers—such as cycle times and communication load—without credentials, which could help them plan more targeted attacks. This information disclosure does not directly control your equipment but reveals details that could be used to refine future compromise attempts.

Who's at risk

Manufacturing and transportation facilities using Siemens S7-1500 CPUs, including all-in-one controllers like the SIMATIC ET 200SP, distributed I/O processors (ET 200pro), software-based controllers running on industrial PCs, and drive controllers. This affects a wide range of process automation systems including motor drives, production lines, and networked control systems using PROFINET or other TCP/IP-based connectivity.

How it could be exploited

An attacker with network access to the CPU's Ethernet interface sends unauthenticated diagnostic queries to retrieve runtime statistics including cycle time and communication load. No credentials or prior system access are required; the attacker simply needs to reach the device on the network.

Prerequisites

Network access to the CPU Ethernet interface on port 102 (PROFINET/S7 protocol)
No credentials required
Default configuration of the CPU (no additional authentication layer configured)

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for some products (S7-1500 Software Controller Linux V2)Affects diagnostics and monitoring systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (105)

104 with fix1 pending

ProductAffected VersionsFix Status

SIMATIC Drive Controller CPU 1504D TF< 3.1.43.1.4

SIMATIC Drive Controller CPU 1507D TF< 3.1.43.1.4

SIMATIC ET 200SP CPU 1510SP F-1 PN< 2.9.82.9.8

SIMATIC ET 200SP CPU 1510SP F-1 PN< 3.1.43.1.4

SIMATIC ET 200SP CPU 1510SP-1 PN< 2.9.82.9.8

Remediation & Mitigation

0/12

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGFor S7-1500 Software Controller Linux V2, implement network segmentation to restrict access to diagnostic ports from untrusted networks

HARDENINGImplement network segmentation and firewall rules to restrict access to PROFINET/S7 diagnostic ports (port 102) to authorized engineering workstations and control networks only

CVEs (1)

CVE-2024-46887

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close