Siemens SIMATIC S7-1500 CPU Family
Act NowCVSS 9.8ICS-CERT ICSA-25-162-05Jun 10, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities exist in the GNU/Linux subsystem of firmware version V3.1.5 and later in the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP and SIPLUS S7-1500 CPU 1518-4 PN/DP MFP. The vulnerabilities span memory management, input validation, authentication, and privilege escalation mechanisms. Siemens is preparing fixes and recommends protective network measures for affected devices.
What this means
What could happen
An attacker with network access to the CPU could exploit multiple vulnerabilities to run arbitrary commands on the PLC itself, potentially altering control logic, modifying setpoints, or stopping production. This directly compromises the safety and availability of automated processes.
Who's at risk
Water utilities, municipal electric utilities, manufacturing plants, and other critical infrastructure operators using Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP or SIPLUS variants for process automation, pump control, power distribution, or other safety-critical applications. Any facility where a PLC malfunction could cause equipment damage, unsafe conditions, or production loss is at risk.
How it could be exploited
An attacker sends a specially crafted network packet to the CPU's management interface (port 102 or diagnostic port). The Linux subsystem processes the malformed input without proper validation, triggering memory corruption or a privilege escalation flaw. The attacker gains code execution in the kernel context and can then modify the PLC firmware or inject commands into the control logic.
Prerequisites
- Network access to the CPU management or diagnostic ports (port 102 or equivalent)
- No authentication required to trigger the vulnerability
- Device must be running firmware version V3.1.5 or later
remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (94.4%)no patch availableaffects safety systems
Exploitability
Actively exploited — confirmed by CISA KEV
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP≥ 3.1.5No fix (EOL)
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP≥ 3.1.5No fix (EOL)
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP≥ 3.1.5No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to the CPU management and diagnostic ports (port 102) using firewall rules. Allow only authorized engineering workstations and HMI systems to communicate with the device.
HARDENINGSegment the PLC network from the corporate IT network using a DMZ or dedicated industrial network with restricted routing and access controls.
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGDeploy a network intrusion detection system (IDS) or industrial traffic analyzer on the OT network to monitor for suspicious communication patterns to the CPU.
HOTFIXMonitor Siemens security bulletins for available firmware updates and apply them to affected CPUs as soon as they are released and tested in your environment.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP, SIPLUS S7-1500 CPU 1518-4 PN/DP MFP, SIMATIC S7-1500 CPU 1518-4 PN/DP MFP. Apply the following compensating controls:
HARDENINGReview and enforce Siemens' operational guidelines for Industrial Security to ensure the PLC environment follows secure configuration standards.
CVEs (148)
CVE-2025-9230CVE-2025-9232CVE-2024-12133CVE-2024-6119CVE-2024-6387CVE-2023-38545CVE-2023-4911CVE-2023-51384CVE-2023-5363CVE-2021-41617CVE-2023-4527CVE-2023-4806CVE-2023-6246CVE-2023-6779CVE-2023-6780CVE-2023-28531CVE-2023-38546CVE-2023-44487CVE-2023-46218CVE-2023-46219CVE-2023-48795CVE-2023-51385CVE-2023-52927CVE-2024-2961CVE-2024-12243CVE-2024-24855CVE-2024-26596CVE-2024-28085CVE-2024-33599CVE-2024-33600CVE-2024-33601CVE-2024-33602CVE-2024-34397CVE-2024-37370CVE-2024-37371CVE-2024-45490CVE-2024-45491CVE-2024-45492CVE-2024-50246CVE-2024-53166CVE-2024-57924CVE-2024-57977CVE-2024-57996CVE-2024-58005CVE-2025-3198CVE-2025-4373CVE-2025-4598CVE-2025-5244CVE-2025-5245CVE-2025-6395CVE-2025-7425CVE-2025-7545CVE-2025-7546CVE-2025-8224CVE-2025-11082CVE-2025-11083CVE-2025-11412CVE-2025-11413CVE-2025-11414CVE-2025-11494CVE-2025-11495CVE-2025-11839CVE-2025-11840CVE-2025-21701CVE-2025-21702CVE-2025-21712CVE-2025-21724CVE-2025-21728CVE-2025-21745CVE-2025-21756CVE-2025-21758CVE-2025-21765CVE-2025-21766CVE-2025-21767CVE-2025-21795CVE-2025-21796CVE-2025-21848CVE-2025-21862CVE-2025-21864CVE-2025-21865CVE-2025-26465CVE-2025-31115CVE-2025-32988CVE-2025-32989CVE-2025-38058CVE-2025-38063CVE-2025-38067CVE-2025-38071CVE-2025-38079CVE-2025-38083CVE-2025-38100CVE-2025-38111CVE-2025-38124CVE-2025-38167CVE-2025-38198CVE-2025-38212CVE-2025-38214CVE-2025-38215CVE-2025-38222CVE-2025-38231CVE-2025-38236CVE-2025-38280CVE-2025-38285CVE-2025-38312CVE-2025-38342CVE-2025-38350CVE-2025-38364CVE-2025-38393CVE-2025-38400CVE-2025-38430CVE-2025-38451CVE-2025-38457CVE-2025-38465CVE-2025-38466CVE-2025-38468CVE-2025-38470CVE-2025-38471CVE-2025-38477CVE-2025-38498CVE-2025-38499CVE-2025-38614CVE-2025-38685CVE-2025-38691CVE-2025-38701CVE-2025-38702CVE-2025-38708CVE-2025-38721CVE-2025-38724CVE-2025-38727CVE-2025-39683CVE-2025-39689CVE-2025-39697CVE-2025-39724CVE-2025-39756CVE-2025-39770CVE-2025-39773CVE-2025-39783CVE-2025-39787CVE-2025-39795CVE-2025-39798CVE-2025-39866CVE-2025-39929CVE-2025-39931CVE-2025-39977CVE-2025-40022CVE-2025-46836CVE-2025-59375CVE-2025-66382
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/76524016-717a-4bf1-98c7-1c7a191764a5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.