Siemens SIMATIC IPC Family, ITP1000, and Field PGs

Plan PatchCVSS 8.2ICS-CERT ICSA-25-072-11Mar 11, 2025

Siemens

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Siemens SIMATIC IPCs, SIMATIC Tablet PCs (ITP1000), and SIMATIC Field PGs allow an authenticated attacker with local access to alter secure boot settings and administrator password configurations. These devices are used throughout water and energy utilities for control and monitoring of critical infrastructure. Siemens has released BIOS updates for newer product variants but has not released fixes for older models. The vulnerabilities affect secure boot integrity and password management, allowing persistence and potential unauthorized control after initial compromise by someone with local access and credentials.

What this means

What could happen

An authenticated attacker with physical or local access to a SIMATIC IPC, Tablet PC, or Field PG could modify secure boot settings and administrator password configurations, potentially compromising system integrity and preventing authorized access to the device.

Who's at risk

Water utilities and electrical utilities operating SIMATIC industrial PCs, tablet PCs, and Field PGs used for SCADA monitoring, process control, and engineering workstations. This includes plant operators, control room staff, and maintenance engineers who rely on these devices for safe operation of critical water treatment, pumping, and power distribution systems.

How it could be exploited

An attacker with local or physical access to the device and administrative credentials could exploit improper access controls in the BIOS/firmware to bypass secure boot mechanisms and reset administrator passwords, gaining persistent control over the device and its industrial processes.

Prerequisites

High privilege account credentials (root/administrator access)
Local or physical access to the device console or management interface
Ability to access BIOS or firmware configuration menus

Requires high privilege credentialsRequires local or physical accessNo patch available for 15+ affected product variants (Field PG M5, ITP1000, RC-543A, RW-543A, and older E-series IPCs)Affects industrial control system infrastructure and SCADA platforms

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (32)

19 with fix13 pending

ProductAffected VersionsFix Status

SIMATIC Field PG M5All versionsNo fix yet

SIMATIC IPC BX-21A< 31.01.0731.01.07

SIMATIC IPC BX-32A< 29.01.0729.01.07

SIMATIC IPC BX-39A< 29.01.0729.01.07

SIMATIC IPC BX-59A< 32.01.0432.01.04

Remediation & Mitigation

0/11

Do now

0/1

WORKAROUNDRestrict administrative and root account access to authorized personnel only; limit who can log in with elevated privileges

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

SIMATIC IPC627E

HOTFIXUpdate SIMATIC IPC627E, IPC647E, IPC677E, IPC847E to version 25.02.15 or later

SIMATIC IPC BX-21A

HOTFIXUpdate SIMATIC IPC BX-21A to version 31.01.07 or later

SIMATIC IPC BX-32A

HOTFIXUpdate SIMATIC IPC BX-32A, BX-39A, PX-32A, PX-39A, PX-39A PRO to version 29.01.07 or later

SIMATIC IPC BX-59A

HOTFIXUpdate SIMATIC IPC BX-59A to version 32.01.04 or later

SIMATIC IPC227G

HOTFIXUpdate SIMATIC IPC227G, IPC277G, IPC277G PRO, IPC327G, IPC377G to version 28.01.14 or later

SIMATIC IPC RC-543B

HOTFIXUpdate SIMATIC IPC RC-543B to version 35.01.12 or later

SIMATIC IPC RW-543B

HOTFIXUpdate SIMATIC IPC RW-543B to version 35.02.10 or later

SIMATIC Field PG M6

HOTFIXUpdate SIMATIC Field PG M6 to version 26.01.12 or later

Long-term hardening

0/2

HARDENINGIsolate SIMATIC IPCs, Tablet PCs, and Field PGs from direct internet exposure using network segmentation and firewalls

HARDENINGImplement physical security controls to restrict local and console access to these devices in the control room or equipment areas

CVEs (2)

CVE-2024-56181 CVE-2024-56182

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/641b389b-876e-4f74-9e90-6d78cc427922

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.