Siemens SIMATIC ET 200SP Communication Processors
Act Now9.8ICS-CERT ICSA-25-289-07Oct 14, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC ET 200SP communication processors (CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS variants) contain an authentication vulnerability that allows an unauthenticated remote attacker to access and retrieve the device's configuration data. This includes network topology, device parameters, and engineering settings that define how connected I/O modules and field devices operate. Affected devices are distributed I/O modules used in industrial plants to manage remote input/output terminals and control field devices.
What this means
What could happen
An unauthenticated attacker with network access to a communication processor could retrieve the device's configuration data, including network settings and engineering parameters that control field device behavior. This exposure could enable downstream attacks on connected I/O modules and field devices.
Who's at risk
Water and wastewater treatment facilities, electric utilities, and transportation systems that use Siemens SIMATIC ET 200SP distributed I/O modules with communication processors (CP 1542SP-1, CP 1543SP-1, or their SIPLUS industrial variants) to manage remote field devices and process data. Any organization with these processors managing pumps, motors, valves, or other critical assets.
How it could be exploited
An attacker on the network sends unauthenticated requests directly to the communication processor on port 502 (Modbus) or the management interface. The processor returns configuration data without requiring credentials, exposing the settings needed to understand the plant's control topology and process logic.
Prerequisites
- Network access to the communication processor (direct network path or through compromised device on same subnet)
- No valid credentials required
Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS (9.8)Affects industrial control system configuration disclosure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1542SP-1< 2.4.242.4.24
SIMATIC CP 1542SP-1 IRC< 2.4.242.4.24
SIMATIC CP 1543SP-1< 2.4.242.4.24
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL< 2.4.242.4.24
SIPLUS ET 200SP CP 1543SP-1 ISEC< 2.4.242.4.24
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL< 2.4.242.4.24
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to the communication processor to trusted IP addresses only using firewall rules or access control lists
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected SIMATIC CP and SIPLUS ET 200SP communication processors to firmware version 2.4.24 or later
Long-term hardening
0/2HARDENINGIsolate control system networks from business networks and the internet; place communication processors behind firewall with restrictive egress/ingress rules
HARDENINGImplement VPN for any required remote access to engineering workstations; ensure VPN is updated to latest version
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1354bb7d-056e-40f1-b36e-9bfc12747eb6