Siemens SIMATIC
Monitor5.3ICS-CERT ICSA-25-044-02Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The webserver of several SIMATIC products is affected by a user enumeration vulnerability in which an unauthenticated remote attacker can identify valid usernames by analyzing HTTP responses. Affected products include SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller CPUs, SIMATIC ET 200SP Open Controller, and SIMATIC S7-PLCSIM Advanced. The vulnerability is exploitable via HTTP (port 80) but not via HTTPS (port 443). Siemens has released firmware updates for most affected products but states that no fix is currently available for SIMATIC ET 200SP Open Controller CPU 1515SP PC2 and SIMATIC S7-1500 Software Controller.
What this means
What could happen
An attacker can identify valid usernames on your PLC's web interface without logging in, which could enable targeted attacks to guess or brute-force credentials. This is a reconnaissance step that increases the risk of unauthorized control changes.
Who's at risk
Manufacturing facilities and transportation systems using Siemens SIMATIC S7-1200, S7-1500, Drive Controller, ET 200SP Open Controller, and S7-PLCSIM Advanced products should be concerned. Any organization running these PLCs in critical processes like assembly lines, conveyor systems, pump stations, or process control should assess their exposure.
How it could be exploited
An attacker sends HTTP requests to the PLC's web server (port 80) and observes response patterns or error messages to determine whether usernames exist. Once valid usernames are identified, the attacker can attempt credential attacks or social engineering to gain access to the PLC and potentially modify control logic or process parameters.
Prerequisites
- Network access to the PLC's HTTP port (80/tcp)
- PLC configured to allow HTTP web server access
- No firewall or network segmentation blocking access to the PLC
remotely exploitableno authentication requiredlow complexityaffects industrial PLCs
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (86)
85 with fix1 pending
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TF≥ V3.1.0|<V3.1.23.1.2
SIMATIC Drive Controller CPU 1507D TF≥ V3.1.0|<V3.1.23.1.2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)≥ V30.1.0|<V31.1.431.1.4
SIMATIC S7-1200 CPU 1211C AC/DC/Rly<V4.74.7
SIMATIC S7-1200 CPU 1211C DC/DC/DC<V4.74.7
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDDisable HTTP (port 80) on affected PLCs and use HTTPS (port 443) only
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller CPU 1504D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1504D TF to firmware version 3.1.2 or later
SIMATIC Drive Controller CPU 1507D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1507D TF to firmware version 3.1.2 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 7.0 or later
All products
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to firmware version 31.1.4 or later
HOTFIXUpdate all SIMATIC S7-1200 CPUs to firmware version 4.7 or later
HOTFIXUpdate all SIMATIC S7-1500 CPUs to firmware version 3.1.2 or later
Long-term hardening
0/2HARDENINGRestrict network access to PLC web interfaces to authorized engineering workstations only using firewall rules
HARDENINGSegment PLC networks from general corporate networks to limit exposure of web interfaces
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a500a274-723d-4586-83a7-e465f4c51b7f