Siemens SIMATIC

Plan PatchCVSS 9.6ICS-CERT ICSA-26-071-04Mar 10, 2026

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SIMATIC S7-1500, ET 200SP, and Drive Controller CPUs contain a code injection vulnerability in the web interface trace file import functionality. A specially crafted trace file uploaded via the web interface (Port 80/443) can execute arbitrary code on the PLC. This affects all versions of many CPU variants; some variants (S7-1500 and ET 200SP CPUs with firmware < 4.1.2) have fixes available, while others have no planned remediation. The web interface is enabled by default, exposing the vulnerability on any network-connected PLC.

What this means

What could happen

An attacker could trick a legitimate user into importing a malicious trace file through the web interface, injecting code that runs on the PLC with full control. This could allow the attacker to alter process setpoints, stop operations, or trigger unintended safety actions.

Who's at risk

This affects manufacturing and transportation operators using Siemens SIMATIC S7-1500, ET 200SP, and Drive Controller CPUs for process control. This includes any facility using these PLCs for automation: assembly lines, process control, motion control, discrete manufacturing, and rail/vehicle systems. If your facility uses Siemens SIMATIC industrial controllers, they are affected.

How it could be exploited

An attacker crafts a malicious trace file and tricks a legitimate user (engineer or operator) into uploading it via the web interface on Port 80 or 443. The PLC executes the injected code, giving the attacker control over the controller logic and industrial processes.

Prerequisites

User must have web interface access to the PLC (typically local network or engineering workstation)
User must be tricked into uploading/importing a specially crafted trace file
Web server must be enabled on the affected CPU (enabled by default)

remotely exploitablelow complexityrequires user interaction (social engineering)no patch available for many product variantsaffects core process control logic

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (135)

40 with fix95 pending

ProductAffected VersionsFix Status

SIMATIC Drive Controller CPU 1504D TFAll versionsNo fix yet

SIMATIC Drive Controller CPU 1507D TFAll versionsNo fix yet

SIMATIC ET 200SP CPU 1510SP F-1 PNAll versionsNo fix yet

SIMATIC ET 200SP CPU 1510SP F-1 PN< 4.1.24.1.2

SIMATIC ET 200SP CPU 1510SP-1 PNAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable the web server on affected CPUs if the web interface is not required for operations

HARDENINGRestrict access to Port 80 (HTTP) and Port 443 (HTTPS) on affected CPUs to trusted engineering workstations and management networks only using firewall rules or network segmentation

HARDENINGEstablish a policy requiring users to upload only trace files from trusted, verified sources and to avoid importing files from untrusted origins

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected SIMATIC S7-1500, ET 200SP, and Drive Controller CPUs to firmware version 4.1.2 or later

Long-term hardening

0/1

HARDENINGIsolate SIMATIC control system networks from business networks and the internet using firewalls or air-gapping where feasible

CVEs (1)

CVE-2025-40943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46cbb179-0d0e-4e7b-b724-a747830e3d4a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.