Siemens SIMATIC

MonitorCVSS 5.3ICS-CERT ICSA-25-044-02Feb 11, 2025

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Siemens SIMATIC products contain a user enumeration vulnerability in the webserver that allows an unauthenticated remote attacker to identify valid usernames. The vulnerability affects SIMATIC ET 200SP controllers, S7-1200 and S7-1500 PLCs, SIMATIC Drive Controllers, and the S7-PLCSIM Advanced simulator across firmware versions from approximately V3.1.0 to V3.1.2 (ET 200SP/S7-1500 hardware) and V4.6 and earlier (S7-1200), and V30.1.0 to V31.1.4 (S7-1500 software controllers). User enumeration is exploitable only via HTTP (port 80/tcp); HTTPS (port 443/tcp) is not affected.

What this means

What could happen

An attacker can discover which operator and engineer usernames exist on your PLC or controller without requiring any credentials, potentially enabling targeted credential attacks or social engineering. This does not directly alter operations but reduces the barrier to gaining control of the device.

Who's at risk

Manufacturing and transportation facilities using Siemens SIMATIC industrial PLCs and controllers should assess their exposure. Specifically, this affects organizations using SIMATIC ET 200SP distributed I/O controllers, S7-1200 compact PLCs, S7-1500 modular PLCs, SIMATIC Drive Controllers, S7-1500 Software Controllers (virtualized PLCs), and S7-PLCSIM Advanced simulation software if those systems run affected firmware versions and have network-accessible web interfaces.

How it could be exploited

An attacker with network access to the PLC's webserver on HTTP port 80 sends specially crafted requests to the web interface and observes response differences (timing, error messages, or page content) that reveal whether a username exists. With a list of valid usernames, the attacker can then attempt password guessing or other credential attacks.

Prerequisites

Network reachability to HTTP port 80/tcp on the affected SIMATIC device
Ability to send HTTP requests (no authentication required for enumeration itself)

remotely exploitableno authentication requiredenables credential attack reconnaissanceaffects core industrial control devices (PLCs, controllers)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (101)

100 with fix1 pending

ProductAffected VersionsFix Status

SIMATIC ET 200SP CPU 1510SP F-1 PN≥ V3.1.0, < V3.1.23.1.2

SIMATIC ET 200SP CPU 1510SP-1 PN≥ V3.1.0, < V3.1.23.1.2

SIMATIC ET 200SP CPU 1512SP F-1 PN≥ V3.1.0, < V3.1.23.1.2

SIMATIC ET 200SP CPU 1512SP-1 PN≥ V3.1.0, < V3.1.23.1.2

SIMATIC ET 200SP CPU 1514SP F-2 PN≥ V3.1.0, < V3.1.23.1.2

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable HTTP (port 80/tcp) access to the PLC webserver; provide web service access through HTTPS (port 443/tcp) only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SIMATIC S7-1500 Software Controller

HOTFIXUpdate SIMATIC S7-1500 Software Controller CPUs and S7-PLCSIM Advanced to version 31.1.4 or 7.0 respectively

All products

HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.7 or later

HOTFIXUpdate SIMATIC ET 200SP CPUs, S7-1500 CPUs, and SIMATIC Drive Controllers to firmware version 3.1.2 or later

Long-term hardening

0/1

HARDENINGRestrict network access to the PLC's webserver ports (80 and 443) to only trusted engineering workstations and HMIs using firewall rules or network segmentation

CVEs (1)

CVE-2023-37482

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a500a274-723d-4586-83a7-e465f4c51b7f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.