OTPulse
FeedAboutContact

FESTO Didactic CP, MPS 200, and MPS 400 Firmware

Act Now9.8ICS-CERT ICSA-25-182-01Sep 9, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Siemens SIMATIC S7-1500 and ET200SP CPUs installed in Festo Didactic CP, MPS 200, and MPS 400 systems contain a memory protection bypass vulnerability (CVE-2020-15782) that allows an attacker to write arbitrary data and code to protected memory areas or read sensitive data. The vulnerability is caused by improper memory access controls in the CPU firmware and can be exploited remotely without authentication. Affected versions: CP, MPS 200, and MPS 400 with firmware versions prior to V2.9.2.

What this means
What could happen
An attacker with network access to the PLC could bypass memory protections to read sensitive process data or write commands that alter setpoints, disable safety interlocks, or halt production on these manufacturing training and automation systems.
Who's at risk
Manufacturing organizations using Festo Didactic training and production systems (CP with S7 PLC, MPS 200, and MPS 400 automation modules) equipped with Siemens S7-1500 or ET200SP CPUs running firmware versions older than V2.9.2 are affected. This impacts both training environments and operational production lines that rely on these systems for process control.
How it could be exploited
An attacker sends specially crafted network packets to the Siemens S7-1500 or ET200SP CPU that bypass memory protection mechanisms, allowing them to read or write to protected memory regions. This could let them extract process credentials or inject control commands directly into the PLC.
Prerequisites
  • Network reachability to the PLC on its control port (typically port 102 for S7 communication)
  • No authentication required—the vulnerability exists in the CPU firmware regardless of user credentials
remotely exploitableno authentication requiredlow complexity attackmemory protection bypass enables arbitrary code executionaffects production control systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
CP including S7 PLC<V2.9.2V2.9.2
MPS 200 Systems<V2.9.2V2.9.2
MPS 400 Systems<V2.9.2V2.9.2
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGIsolate control system networks from the internet; place PLCs behind firewalls and restrict network access to only authorized engineering stations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Festo Didactic CP, MPS 200, and MPS 400 firmware to V2.9.2 or later
Long-term hardening
0/1
HARDENINGUse VPN for any required remote access to the systems, keeping VPN software patched
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/911370e5-92cf-4f25-9734-0836658c671c
FESTO Didactic CP, MPS 200, and MPS 400 Firmware | CVSS 9.8 - OTPulse