Unauthenticated Information Disclosure in Web Server of SIMATIC S7-1500 CPUs
Monitor5.3SSA-054046Oct 8, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An authentication bypass in the web server of SIMATIC S7-1500 CPUs, SIMATIC ET 200SP CPUs, SIMATIC Drive Controller CPUs, SIMATIC S7-1500 Software Controllers, and related SIPLUS variants allows an unauthenticated remote attacker to retrieve sensitive CPU performance metrics including maximum cycle times and communication load. The vulnerability affects dozens of CPU model variants across multiple product families. No code execution or operational disruption occurs, but the disclosed metrics provide reconnaissance data for further attacks. Siemens has released firmware updates for most affected products; for SIMATIC S7-1500 Software Controller Linux V2 (all versions), no fix is planned.
What this means
What could happen
An unauthenticated attacker on the network can obtain information about CPU cycle times and communication load without credentials. This reconnaissance data could support planning of more targeted attacks on process control operations.
Who's at risk
Manufacturing facilities and transportation systems using Siemens SIMATIC S7-1500 CPUs, SIMATIC ET 200SP controllers, SIMATIC Drive Controllers, and S7-1500 Software Controllers. This affects discretized process automation across assembly lines, chemical processing, water treatment plants, power generation, and rail control systems.
How it could be exploited
An attacker with network access to the Ethernet port of an affected S7-1500 CPU can query the web server over HTTP without authentication and retrieve cycle time and communication load metrics. This information helps map the controller's operational characteristics for further attack planning.
Prerequisites
- Network connectivity to the Ethernet port of the CPU
- No authentication required
remotely exploitableno authentication requiredlow complexityinformation disclosure only (no code execution)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (105)
104 with fix1 pending
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TF< 3.1.43.1.4
SIMATIC Drive Controller CPU 1507D TF< 3.1.43.1.4
SIMATIC ET 200SP CPU 1510SP F-1 PN< 2.9.82.9.8
SIMATIC ET 200SP CPU 1510SP F-1 PN< 3.1.43.1.4
SIMATIC ET 200SP CPU 1510SP-1 PN< 2.9.82.9.8
Remediation & Mitigation
0/12
Do now
0/1WORKAROUNDDeploy firewall rules to block inbound HTTP access to the CPU web server from untrusted network segments
Schedule — requires maintenance window
0/10Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller CPU 1504D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1504D TF and 1507D TF to firmware version 3.1.4 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 7.0 or later
All products
HOTFIXUpdate SIMATIC S7-1500 CPU 1511, 1512, 1513, 1515, 1516, 1517, 1518 series to firmware version 2.9.8 or later
HOTFIXUpdate SIMATIC ET 200SP CPU 1510SP, 1512SP series to firmware version 2.9.8 or later
HOTFIXUpdate SIMATIC ET 200SP CPU 1514SP and 1514SPT series to firmware version 3.1.4 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 Windows OS (V2) to version 21.9.8 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (V3) to version 31.1.4 or later
HOTFIXUpdate SIMATIC S7-1500 Software Controller V2 to version 21.9.8 or later
HOTFIXUpdate SIMATIC S7-1500 Software Controller V3 to version 31.1.4 or later
HOTFIXUpdate SIPLUS ET 200SP and S7-1500 variants to version 2.9.8 or later (for affected models)
Long-term hardening
0/1HARDENINGImplement network segmentation to restrict access to S7-1500 CPU Ethernet ports to authorized engineering and operations workstations only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b3d60002-1261-4412-9531-aa848a011b8c