Siemens SIMATIC S7-1500 CPU Family
Act Now9.8ICS-CERT ICSA-25-162-05Jun 10, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities exist in the GNU/Linux subsystem of SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP firmware version 3.1.5 and later. The vulnerabilities involve memory safety issues (buffer overflows, use-after-free, out-of-bounds access), input validation flaws (CWE-20, CWE-400), cryptographic weaknesses, and authentication bypass mechanisms. An unauthenticated attacker on the network can exploit these flaws to execute arbitrary code on the CPU without requiring credentials or user interaction. Siemens is preparing firmware fixes and recommends network protection measures and adherence to Industrial Security operational guidelines for affected installations.
What this means
What could happen
An unauthenticated attacker on the network could execute arbitrary code on the S7-1500 CPU, compromising the PLC's ability to control critical processes like pump and valve operation, pressure regulation, or power distribution. This could result in loss of process control, operational shutdown, or unsafe physical conditions.
Who's at risk
Water utilities and municipal electric providers using Siemens S7-1500 CPU 1518 or 1518F processors for critical process control (SCADA, pump stations, substation automation, pressure management, switchgear control) are directly impacted. Any facility relying on these PLCs for essential operations should implement immediate network access restrictions.
How it could be exploited
An attacker with network access to the CPU can send specially crafted packets that exploit multiple memory safety and input validation flaws in the GNU/Linux subsystem firmware. No credentials or prior authentication is required. The attacker can leverage these vulnerabilities to execute arbitrary code with PLC privileges, gaining full control over the device and its industrial processes.
Prerequisites
- Network access to the S7-1500 CPU (typically port 102 for S7 communication)
- SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP with firmware version 3.1.5 or later
- No authentication credentials required
remotely exploitableno authentication requiredlow complexityactively exploited (KEV)extremely high EPSS score (94.5%)no patch availableaffects safety-critical systemsmultiple memory safety and input validation flaws
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP≥ 3.1.5No fix (EOL)
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP≥ 3.1.5No fix (EOL)
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP≥ 3.1.5No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HOTFIXMonitor Siemens security advisories and vendor communications for availability of firmware fixes for SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. Plan and apply patches immediately upon release.
WORKAROUNDRestrict network access to the S7-1500 CPU using firewall rules, network segmentation, or air-gapping. Allow only authorized engineering workstations and HMI systems to communicate with the device on port 102 (S7 protocol).
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGDisable or isolate unnecessary network interfaces and services on the CPU if they are not required for process operations.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP, SIPLUS S7-1500 CPU 1518-4 PN/DP MFP, SIMATIC S7-1500 CPU 1518-4 PN/DP MFP. Apply the following compensating controls:
HARDENINGImplement Siemens' operational guidelines for Industrial Security to protect the plant environment, including network architecture, access controls, and monitoring.
CVEs (148)
CVE-2021-41617CVE-2023-4527CVE-2023-4806CVE-2023-4911CVE-2023-5363CVE-2023-6246CVE-2023-6779CVE-2023-6780CVE-2023-28531CVE-2023-38545CVE-2023-38546CVE-2023-44487CVE-2023-46218CVE-2023-46219CVE-2023-48795CVE-2023-51384CVE-2023-51385CVE-2023-52927CVE-2024-2961CVE-2024-6119CVE-2024-6387CVE-2024-12133CVE-2024-12243CVE-2024-24855CVE-2024-26596CVE-2024-28085CVE-2024-33599CVE-2024-33600CVE-2024-33601CVE-2024-33602CVE-2024-34397CVE-2024-37370CVE-2024-37371CVE-2024-45490CVE-2024-45491CVE-2024-45492CVE-2024-50246CVE-2024-53166CVE-2024-57924CVE-2024-57977CVE-2024-57996CVE-2024-58005CVE-2025-3198CVE-2025-4373CVE-2025-4598CVE-2025-5244CVE-2025-5245CVE-2025-6395CVE-2025-7425CVE-2025-7545CVE-2025-7546CVE-2025-8224CVE-2025-9230CVE-2025-9232CVE-2025-11082CVE-2025-11083CVE-2025-11412CVE-2025-11413CVE-2025-11414CVE-2025-11494CVE-2025-11495CVE-2025-11839CVE-2025-11840CVE-2025-21701CVE-2025-21702CVE-2025-21712CVE-2025-21724CVE-2025-21728CVE-2025-21745CVE-2025-21756CVE-2025-21758CVE-2025-21765CVE-2025-21766CVE-2025-21767CVE-2025-21795CVE-2025-21796CVE-2025-21848CVE-2025-21862CVE-2025-21864CVE-2025-21865CVE-2025-26465CVE-2025-31115CVE-2025-32988CVE-2025-32989CVE-2025-38058CVE-2025-38063CVE-2025-38067CVE-2025-38071CVE-2025-38079CVE-2025-38083CVE-2025-38100CVE-2025-38111CVE-2025-38124CVE-2025-38167CVE-2025-38198CVE-2025-38212CVE-2025-38214CVE-2025-38215CVE-2025-38222CVE-2025-38231CVE-2025-38236CVE-2025-38280CVE-2025-38285CVE-2025-38312CVE-2025-38342CVE-2025-38350CVE-2025-38364CVE-2025-38393CVE-2025-38400CVE-2025-38430CVE-2025-38451CVE-2025-38457CVE-2025-38465CVE-2025-38466CVE-2025-38468CVE-2025-38470CVE-2025-38471CVE-2025-38477CVE-2025-38498CVE-2025-38499CVE-2025-38614CVE-2025-38685CVE-2025-38691CVE-2025-38701CVE-2025-38702CVE-2025-38708CVE-2025-38721CVE-2025-38724CVE-2025-38727CVE-2025-39683CVE-2025-39689CVE-2025-39697CVE-2025-39724CVE-2025-39756CVE-2025-39770CVE-2025-39773CVE-2025-39783CVE-2025-39787CVE-2025-39795CVE-2025-39798CVE-2025-39866CVE-2025-39929CVE-2025-39931CVE-2025-39977CVE-2025-40022CVE-2025-46836CVE-2025-59375CVE-2025-66382
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/76524016-717a-4bf1-98c7-1c7a191764a5