Siemens SIMATIC S7-1200 CPUs

Plan Patch7.1ICS-CERT ICSA-25-021-02Jan 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The web interface of SIMATIC S7-1200 and SIPLUS S7-1200 CPUs before firmware version 4.7 is affected by a cross-site request forgery (CSRF) vulnerability (CWE-352). An attacker can craft a malicious web page that, when visited by an authorized user accessing the PLC's web interface, forces the user's browser to submit unauthorized commands to the PLC without the user's knowledge or consent.

What this means

What could happen

An attacker can trick an authorized operator into visiting a malicious website, which could then modify PLC configuration, process parameters, or other settings without the operator's knowledge, potentially disrupting industrial processes or equipment control.

Who's at risk

Water and wastewater utilities, electric utilities, and other critical infrastructure operators using Siemens SIMATIC S7-1200 or SIPLUS S7-1200 programmable logic controllers for process automation, particularly in control and monitoring systems. This includes all variants of CPU 1211C, 1212C, 1212FC, 1214C, 1214FC, 1215C, 1215FC, and 1217C models running firmware versions before 4.7.

How it could be exploited

An attacker crafts a malicious webpage containing CSRF payload targeting the S7-1200 web interface. When an authorized operator or engineer visits this page (e.g., via email link or phishing), the attacker's JavaScript executes requests to the PLC web interface using the operator's active session, bypassing normal authorization checks. The attacker can then alter PLC settings or data.

Prerequisites

Operator or engineer with active browser session to the S7-1200 web interface must visit attacker-controlled malicious webpage
S7-1200 web interface must be accessible from the network where operator's workstation is located
User must have legitimate credentials and authorization to access the PLC web interface

Remotely exploitableRequires user interaction (clicking malicious link)Affects safety-critical industrial control systemsBroad impact across multiple S7-1200 models and variantsComplexity: low

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (34)

34 with fix

ProductAffected VersionsFix Status

SIMATIC S7-1200 CPU 1211C AC/DC/Rly<V4.74.7

SIMATIC S7-1200 CPU 1211C DC/DC/DC<V4.74.7

SIMATIC S7-1200 CPU 1211C DC/DC/Rly<V4.74.7

SIMATIC S7-1200 CPU 1212C AC/DC/Rly<V4.74.7

SIMATIC S7-1200 CPU 1212C DC/DC/DC<V4.74.7

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDo not click on links from untrusted sources; educate operators and engineers about phishing and social engineering risks

HARDENINGRestrict network access to S7-1200 web interface using firewall rules, access control lists, or industrial security gateways; only allow connections from known engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 CPU and SIPLUS S7-1200 CPU firmware to version 4.7 or later

Long-term hardening

0/1

HARDENINGSegment the PLC network from general corporate IT networks and untrusted networks to reduce the likelihood that operators access untrusted web content on the same network as the PLC

CVEs (1)

CVE-2024-47100

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/69b27de1-cdc9-400d-be04-a36e11450bdf