Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.5
Act Now9.8SSA-082556Jun 10, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple critical vulnerabilities exist in the GNU/Linux subsystem embedded in SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP firmware version V3.1.5 and later. The vulnerabilities include memory corruption flaws (buffer overflow, use-after-free, integer overflow), command injection, and improper input validation (CWE-20, CWE-78, CWE-125, CWE-416, CWE-121, and 42 additional CWEs). These allow unauthenticated remote attackers to execute arbitrary code on the CPU's Linux subsystem. Siemens is preparing fix versions. Until patches are available, network access controls and operational hardening are required.
What this means
What could happen
An attacker with network access to the S7-1500 CPU can exploit multiple memory and command injection vulnerabilities to gain remote code execution on the embedded Linux subsystem, potentially allowing modification of control logic, process parameters, or triggering a denial of service that halts production operations.
Who's at risk
This impacts organizations operating SIMATIC S7-1500 CPU 1518 and 1518F controllers in manufacturing plants, water utilities, power distribution, and other critical infrastructure using Siemens automation equipment. Any facility relying on these CPUs for process control—including setpoint management, valve control, pump operations, or batch sequencing—should immediately implement network isolation controls.
How it could be exploited
An attacker sends a specially crafted network packet to the CPU's Ethernet port targeting the GNU/Linux subsystem. The vulnerability in input validation (CWE-20) combined with memory corruption flaws (CWE-125, CWE-416, CWE-121) allows execution of arbitrary code without authentication. Once code is running on the Linux subsystem, the attacker can issue OS commands to access or manipulate the PLC's control logic and data.
Prerequisites
- Network access to the S7-1500 CPU Ethernet port (TCP/UDP)
- No credentials or authentication required
Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)Critical CVSS score (9.8)High EPSS score (94.4%)No patch available yetAffects industrial control systems
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP≥ 3.1.5No fix (EOL)
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP≥ 3.1.5No fix (EOL)
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP≥ 3.1.5No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3WORKAROUNDImplement network segmentation using firewalls to restrict access to the S7-1500 CPU to only trusted engineering workstations and HMI systems. Block unauthorized inbound connections to the device.
HARDENINGDisable unused services and ports on the S7-1500 if possible via device configuration to reduce the attack surface.
HOTFIXMonitor Siemens security advisories for firmware updates. When a patched version becomes available, schedule a maintenance window to upgrade the CPU firmware immediately.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP, SIPLUS S7-1500 CPU 1518-4 PN/DP MFP, SIMATIC S7-1500 CPU 1518-4 PN/DP MFP. Apply the following compensating controls:
HARDENINGFollow Siemens' operational guidelines for Industrial Security: configure the operating environment with defense-in-depth controls including DMZ, air-gapping critical networks, and network access controls.
CVEs (148)
CVE-2021-41617CVE-2023-4527CVE-2023-4806CVE-2023-4911CVE-2023-5363CVE-2023-6246CVE-2023-6779CVE-2023-6780CVE-2023-28531CVE-2023-38545CVE-2023-38546CVE-2023-44487CVE-2023-46218CVE-2023-46219CVE-2023-48795CVE-2023-51384CVE-2023-51385CVE-2023-52927CVE-2024-2961CVE-2024-6119CVE-2024-6387CVE-2024-12133CVE-2024-12243CVE-2024-24855CVE-2024-26596CVE-2024-28085CVE-2024-33599CVE-2024-33600CVE-2024-33601CVE-2024-33602CVE-2024-34397CVE-2024-37370CVE-2024-37371CVE-2024-45490CVE-2024-45491CVE-2024-45492CVE-2024-50246CVE-2024-53166CVE-2024-57924CVE-2024-57977CVE-2024-57996CVE-2024-58005CVE-2025-3198CVE-2025-4373CVE-2025-4598CVE-2025-5244CVE-2025-5245CVE-2025-6395CVE-2025-7425CVE-2025-7545CVE-2025-7546CVE-2025-8224CVE-2025-9230CVE-2025-9232CVE-2025-11082CVE-2025-11083CVE-2025-11412CVE-2025-11413CVE-2025-11414CVE-2025-11494CVE-2025-11495CVE-2025-11839CVE-2025-11840CVE-2025-21701CVE-2025-21702CVE-2025-21712CVE-2025-21724CVE-2025-21728CVE-2025-21745CVE-2025-21756CVE-2025-21758CVE-2025-21765CVE-2025-21766CVE-2025-21767CVE-2025-21795CVE-2025-21796CVE-2025-21848CVE-2025-21862CVE-2025-21864CVE-2025-21865CVE-2025-26465CVE-2025-31115CVE-2025-32988CVE-2025-32989CVE-2025-38058CVE-2025-38063CVE-2025-38067CVE-2025-38071CVE-2025-38079CVE-2025-38083CVE-2025-38100CVE-2025-38111CVE-2025-38124CVE-2025-38167CVE-2025-38198CVE-2025-38212CVE-2025-38214CVE-2025-38215CVE-2025-38222CVE-2025-38231CVE-2025-38236CVE-2025-38280CVE-2025-38285CVE-2025-38312CVE-2025-38342CVE-2025-38350CVE-2025-38364CVE-2025-38393CVE-2025-38400CVE-2025-38430CVE-2025-38451CVE-2025-38457CVE-2025-38465CVE-2025-38466CVE-2025-38468CVE-2025-38470CVE-2025-38471CVE-2025-38477CVE-2025-38498CVE-2025-38499CVE-2025-38614CVE-2025-38685CVE-2025-38691CVE-2025-38701CVE-2025-38702CVE-2025-38708CVE-2025-38721CVE-2025-38724CVE-2025-38727CVE-2025-39683CVE-2025-39689CVE-2025-39697CVE-2025-39724CVE-2025-39756CVE-2025-39770CVE-2025-39773CVE-2025-39783CVE-2025-39787CVE-2025-39795CVE-2025-39798CVE-2025-39866CVE-2025-39929CVE-2025-39931CVE-2025-39977CVE-2025-40022CVE-2025-46836CVE-2025-59375CVE-2025-66382
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8a00d590-fddc-4a33-ab65-0c2bf2bf2e27