Siemens SIMATIC S7 PLC Web Server

Plan PatchCVSS 9.1ICS-CERT ICSA-26-134-15May 12, 2026

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SIMATIC S7 PLC web servers contain multiple cross-site scripting (XSS) vulnerabilities in their diagnostic and configuration interfaces. An attacker with engineering credentials or firmware update privileges could inject malicious scripts that execute in the browsers of operators and engineers accessing PLC web pages. Siemens has released fixed firmware versions (2.9.9 and 3.1.6) for many affected models. For older and end-of-life models without fixes, Siemens recommends restricting access to firmware updates and TIA project downloads to authorized personnel only.

What this means

What could happen

An attacker with high-privilege credentials (engineering access) could inject malicious scripts into the PLC's web interface that execute when an operator accesses diagnostic or configuration pages, potentially allowing the attacker to modify process parameters, capture credentials, or redirect operators to malicious sites.

Who's at risk

Manufacturing and transportation facilities using SIMATIC S7-1500, SIMATIC ET 200SP, SIMATIC Drive Controller, and SIMATIC S7-PLCSIM software environments. This affects process automation engineers and operators who access PLC web-based diagnostic or configuration interfaces.

How it could be exploited

An attacker with engineering credentials or firmware update privileges could inject cross-site scripting (XSS) payloads through the web server interface. The malicious script executes when a human operator or engineer accesses PLC web pages (diagnostics, configuration, monitoring dashboards). The attacker can then harvest credentials, modify displayed values, or use the operator's browser session to alter PLC settings.

Prerequisites

High-privilege credentials (engineering workstation or firmware update authorization)
Network access to the PLC's web interface (typically port 80/443)
Victim (operator or engineer) must access a compromised PLC web page after injection

requires high-privilege credentialshuman interaction required (victim must visit web page)affects plant diagnostic and configuration interfacesmany models have no fix planned or mitigation-only status

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (121)

61 with fix34 pending26 EOL

ProductAffected VersionsFix Status

SIMATIC Drive Controller CPU 1504D TF< 3.1.63.1.6

SIMATIC Drive Controller CPU 1507D TF< 3.1.63.1.6

SIMATIC ET 200SP CPU 1510SP F-1 PNAll versionsNo fix (EOL)

SIMATIC ET 200SP CPU 1510SP F-1 PN< 2.9.92.9.9

SIMATIC ET 200SP CPU 1510SP-1 PNAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGRestrict read/write access to the PLC's web interface to authorized engineering personnel only using network firewall rules

HARDENINGRestrict the 'firmware update' function right to explicitly authorized and trained personnel only

HARDENINGLimit TIA project download permissions to trusted engineering staff only, preventing unauthorized personnel from uploading potentially malicious configurations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SIMATIC Drive Controller CPU 1504D TF

HOTFIXUpdate affected SIMATIC Drive Controller CPU 1504D TF and 1507D TF to firmware version 3.1.6 or later

All products

HOTFIXUpdate affected SIMATIC S7-1500 and ET 200SP CPUs to firmware version 2.9.9 or later (for 2.9.9-branch models)

HOTFIXUpdate affected SIMATIC S7-1500 CPUs (1516T-3, 1516TF-3, 1517-3, 1517F-3, 1517T-3, 1517TF-3, 1518-4, 1518-4 MFP, 1518F-4, 1518F-4 MFP, 1518T-4, 1518TF-4 and SIPLUS variants) to firmware version 3.1.6 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC ET 200SP CPU 1510SP F-1 PN, SIMATIC ET 200SP CPU 1510SP-1 PN, SIMATIC ET 200SP CPU 1512SP F-1 PN, SIMATIC ET 200SP CPU 1512SP-1 PN, SIMATIC S7-1500 CPU 1511-1 PN, SIMATIC S7-1500 CPU 1511F-1 PN, SIMATIC S7-1500 CPU 1513-1 PN, SIMATIC S7-1500 CPU 1513F-1 PN, SIMATIC S7-1500 CPU 1515-2 PN, SIMATIC S7-1500 CPU 1515F-2 PN, SIMATIC S7-1500 CPU 1516-3 PN/DP, SIMATIC S7-1500 CPU 1516F-3 PN/DP, SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK, SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK, SIMATIC S7-1500 Software Controller CPU 1507S F V2, SIMATIC S7-1500 Software Controller CPU 1507S V2, SIMATIC S7-1500 Software Controller CPU 1508S F V2, SIMATIC S7-1500 Software Controller CPU 1508S V2, SIMATIC S7-1500 Software Controller Linux V2, SIPLUS ET 200SP CPU 1512SP F-1 PN, SIPLUS S7-1500 CPU 1511-1 PN, SIPLUS S7-1500 CPU 1511F-1 PN, SIPLUS S7-1500 CPU 1513-1 PN, SIPLUS S7-1500 CPU 1513F-1 PN, SIPLUS S7-1500 CPU 1516-3 PN/DP, SIPLUS S7-1500 CPU 1516F-3 PN/DP. Apply the following compensating controls:

HARDENINGFor products with no fix planned (S7-1500 Software Controller v2, S7-1518 ODK models) or mitigation-only status, implement firewall segmentation to isolate the PLC web interface from untrusted networks

CVEs (3)

CVE-2026-25786 CVE-2026-25787 CVE-2026-25789

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dccd1102-b501-4d48-87cc-b91cdc8a9216

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.