Siemens SIMATIC S7-1200 CPUs

Plan PatchCVSS 7.1ICS-CERT ICSA-25-021-02Jan 14, 2025

SiemensTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The web interface of SIMATIC S7-1200 CPUs before V4.7 is affected by a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious link that, when clicked by an operator with an active session to the PLC web interface, executes unauthorized configuration changes or commands on the PLC. Siemens has released firmware version 4.7 and later to address this issue for all affected S7-1200 and SIPLUS S7-1200 CPU models.

What this means

What could happen

An attacker could trick an operator into clicking a malicious link, allowing the attacker to modify PLC settings or stop processes without the operator's knowledge, potentially disrupting critical control logic or process safety.

Who's at risk

Organizations operating SIMATIC S7-1200 or SIPLUS S7-1200 CPUs in industrial control systems, particularly in transportation and critical infrastructure such as water treatment, power distribution, and manufacturing facilities. The S7-1200 is a compact PLC commonly used in small to medium automation applications.

How it could be exploited

An attacker crafts a malicious link or webpage and tricks an operator with access to the S7-1200 web interface into clicking it. The attacker's forged request runs in the operator's browser session, executing unauthorized configuration changes to the PLC (such as modifying setpoints or disabling logic) without additional user consent.

Prerequisites

Network access to the S7-1200 web interface (port 80 or 443)
A user logged in to the S7-1200 web interface who clicks a malicious link
No additional authentication required beyond the victim's existing session

remotely exploitablelow complexityuser interaction required (operator must click link)affects industrial control logic

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (34)

34 with fix

ProductAffected VersionsFix Status

SIMATIC S7-1200 CPU 1211C AC/DC/Rly<V4.74.7

SIMATIC S7-1200 CPU 1211C DC/DC/DC<V4.74.7

SIMATIC S7-1200 CPU 1211C DC/DC/Rly<V4.74.7

SIMATIC S7-1200 CPU 1212C AC/DC/Rly<V4.74.7

SIMATIC S7-1200 CPU 1212C DC/DC/DC<V4.74.7

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the S7-1200 web interface to trusted engineering workstations and control systems only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 CPU firmware to version 4.7 or later

HOTFIXUpdate SIPLUS S7-1200 CPU firmware to version 4.7 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate S7-1200 CPUs on a protected OT network separate from general IT and untrusted networks

HARDENINGTrain operators not to click on links in unexpected emails or messages, especially those directing to PLC configuration pages

CVEs (1)

CVE-2024-47100

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/69b27de1-cdc9-400d-be04-a36e11450bdf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.