Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX

MonitorCVSS 5.3ICS-CERT ICSA-25-105-03Apr 8, 2025

SiemensEnergyManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in the integrated ICMP services within the TCP/IP stack of multiple Siemens industrial control devices. An attacker can send specially crafted ICMP packets to trigger a temporary denial of service of ICMP communication on affected products. A successful attack impacts the availability of ICMP services for a limited time until the device recovers after the attack ceases. Other communication services such as Modbus TCP and PROFINET are not affected. Siemens has released firmware updates for several product families and is preparing additional fixes for others. For products without patches, network-level mitigation is required.

What this means

What could happen

An attacker can send specially crafted ICMP packets over the network to cause a temporary denial of service of ICMP communication on affected PLCs and control devices, disrupting network diagnostics and potentially affecting remote monitoring or control operations that depend on ICMP connectivity.

Who's at risk

Siemens industrial control devices across multiple product families are affected: S7-1200, S7-300, S7-400, S7-410, S7-1500, ET 200 series distributed I/O modules, SIMOCODE motor control devices, SIWAREX weighing terminals, SIDOOR door systems, and SINUMERIK CNC systems. This impacts manufacturing, energy, and transportation sectors that rely on these PLCs and controllers for process automation and remote monitoring.

How it could be exploited

An attacker on the network sends oversized or malformed ICMP echo requests to the affected device. The vulnerable TCP/IP stack processes these packets and becomes unable to respond to legitimate ICMP requests for a period of time. The device recovers after the attack stops. Other communication services (like Modbus TCP or PROFINET) are not affected.

Prerequisites

Network access to the device (attacker must be on the same network or routable network segment)
No authentication required to send ICMP packets

remotely exploitableno authentication requiredaffects multiple device categorieslarge number of products have no patch availableaffects devices used in safety-critical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (138)

42 with fix96 pending

ProductAffected VersionsFix Status

SIMATIC ET 200SP CPU 1510SP F-1 PNAll versionsNo fix yet

SIMATIC ET 200SP CPU 1510SP-1 PNAll versionsNo fix yet

SIMATIC ET 200SP CPU 1512SP F-1 PNAll versionsNo fix yet

SIMATIC ET 200SP CPU 1512SP-1 PNAll versionsNo fix yet

SIMATIC ET 200SP IM 155-6 MF HFAll versionsNo fix yet

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDImplement packet filtering at network perimeter devices (firewalls, routers, IDS/IPS) to block ICMP messages with large payloads

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMATIC PN/PN Coupler

HOTFIXUpdate SIMATIC PN/PN Coupler and SIPLUS NET PN/PN Coupler to version 6.0.0 or later

SIMATIC CFU DIQ

HOTFIXUpdate SIMATIC CFU DIQ and SIMATIC CFU PA modules to firmware version 2.0.0 or later

All products

HOTFIXUpdate S7-1200 CPU models (1211C, 1212C, 1212FC, 1214C, 1214FC, 1215C, 1215FC, 1217C) and SIPLUS S7-1200 variants to firmware version 4.4 or later

HOTFIXUpdate SIMATIC S7-410 V8 CPU family and SIPLUS variants to firmware version 8.3 or later

HOTFIXUpdate SIMATIC S7-410 V10 CPU family and SIPLUS variants to firmware version 10.2 or later

Long-term hardening

0/1

HARDENINGFor SIMATIC S7-400 H V6 CPU family and SIPLUS variants with no fix available, disable the onboard Ethernet ports on the CPU and use a separate communication module (CP) for all network communication instead

CVEs (1)

CVE-2024-23814

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/42c8b8f2-1e6b-4349-b4a7-1f4c85ff6d76

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.