Siemens SIMATIC
Act Now9.6ICS-CERT ICSA-26-071-04Mar 12, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
SIMATIC S7-1500 and related Siemens devices contain a code injection vulnerability (CWE-79) in the trace file import functionality of the web interface. An attacker can craft a malicious trace file and socially engineer a legitimate user to import it, resulting in code execution on the PLC. Siemens has released firmware version 4.1.2 or later for some affected product families; many product variants remain unpatched. The vulnerability affects Drive Controller CPUs (1504D, 1507D), ET 200SP CPUs (1510SP, 1512SP, 1514SP, 1515SP open controllers), S7-1500 CPU series (1511–1518 and variants), S7-1500 software controllers, ET 200pro CPUs, and SIPLUS hardened variants.
What this means
What could happen
An attacker could inject malicious code into a Siemens PLC by tricking an operator into uploading a specially crafted trace file through the web interface, potentially allowing command execution that could alter process logic, change safety setpoints, or halt production.
Who's at risk
Manufacturing facilities using Siemens SIMATIC S7-1500 and ET 200SP programmable logic controllers (PLCs), especially discrete manufacturers, process industries (chemical, pharmaceutical, food & beverage), and utilities. Affected models include the Drive Controller CPU 1504D/1507D, ET 200SP CPU variants (1510SP, 1512SP, 1514SP, 1515SP), and S7-1500 CPU series (1511–1518). Also affects SIPLUS hardened variants and S7-1500 software controllers running on Windows or industrial OS.
How it could be exploited
An attacker crafts a malicious trace file and tricks a legitimate user (engineering staff or operator) into uploading it via the device's web interface. The vulnerability in the trace file parser allows code injection (CWE-79 cross-site scripting context suggests client-side or template injection). Once executed, the attacker gains control to modify PLC logic or operations.
Prerequisites
- Network access to the device's web interface (port 80/tcp or 443/tcp)
- A legitimate user must be convinced to import the malicious trace file
- The web interface must be enabled on the device
Remotely exploitable via web interfaceUser interaction required (social engineering)CVSS 9.6 (critical severity)Many products have no vendor patch availableLow exploit probability (0.1% EPSS) but high impact if exploited
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (135)
40 with fix95 pending
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TFAll versionsNo fix yet
SIMATIC Drive Controller CPU 1507D TFAll versionsNo fix yet
SIMATIC ET 200SP CPU 1510SP F-1 PNAll versionsNo fix yet
SIMATIC ET 200SP CPU 1510SP F-1 PN< 4.1.24.1.2
SIMATIC ET 200SP CPU 1510SP-1 PNAll versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/3HARDENINGDisable the web server on affected devices if not required for operations
WORKAROUNDRestrict access to ports 80/tcp and 443/tcp to only trusted IP addresses using firewall rules
HARDENINGInstruct operators and engineering staff to upload only trace files from known, trusted sources and verify file integrity before import
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate affected SIMATIC S7-1500 and ET 200SP devices to firmware version 4.1.2 or later where available
Long-term hardening
0/2HARDENINGIsolate control system networks and PLC devices behind firewalls, prevent direct internet routing to any SIMATIC device
HARDENINGSegment the OT network from business IT networks to limit lateral movement if a device is compromised
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/46cbb179-0d0e-4e7b-b724-a747830e3d4a