User Enumeration Vulnerability in the Webserver of SIMATIC Products
Monitor5.3SSA-195895Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The webserver in multiple SIMATIC products contains a user enumeration vulnerability that allows an unauthenticated remote attacker to discover valid usernames by analyzing login responses. This affects the S7-1200 family (versions below 4.7), S7-1500 family (versions 3.1.0 to before 3.1.2), ET 200SP controllers (versions 3.1.0 to before 3.1.2), ET 200SP Open Controller (versions 30.1.0 to before 31.1.4), S7-1500 Software Controllers (versions 30.1.0 to before 31.1.4), S7-PLCSIM Advanced (versions 6.0 to before 7.0), and SIPLUS variants. Siemens has released firmware updates addressing this issue.
What this means
What could happen
An attacker can learn which user accounts exist on your controller's webserver, which simplifies social engineering or brute-force attacks against those accounts. This creates a stepping stone to gain engineering-level access and modify control logic or process parameters.
Who's at risk
Manufacturers and transportation operators who use Siemens SIMATIC S7-1200, S7-1500, Drive Controller, ET 200SP, ET 200SP Open Controller, and SIPLUS variants. The webserver interface on these controllers is the affected component, used for diagnostics and engineering access.
How it could be exploited
An attacker sends login requests to the webserver on the affected controller. By observing differences in error messages or response times, the attacker can determine which usernames are valid on the system. Once valid usernames are identified, the attacker can focus credential-guessing attacks on real accounts.
Prerequisites
- Network access to the webserver port on the affected controller
- No authentication required
remotely exploitableno authentication requiredlow complexity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (92)
92 with fix
ProductAffected VersionsFix Status
SIMATIC S7-1200 CPU 1211C DC/DC/DC< V4.74.7
SIMATIC S7-1200 CPU 1211C DC/DC/Rly< V4.74.7
SIMATIC S7-1200 CPU 1212C AC/DC/Rly< V4.74.7
SIMATIC S7-1200 CPU 1212C DC/DC/DC< V4.74.7
SIMATIC Drive Controller CPU 1504D TF≥ V3.1.0, < V3.1.23.1.2
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDRestrict network access to the webserver interface on affected controllers using firewall rules or network segmentation
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller CPU 1504D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1504D TF and CPU 1507D TF to firmware version 3.1.2 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 7.0 or later
All products
HOTFIXUpdate SIMATIC S7-1200 CPU controllers to firmware version 4.7 or later
HOTFIXUpdate SIMATIC S7-1500 CPU controllers to firmware version 3.1.2 or later
HOTFIXUpdate SIMATIC ET 200SP CPU controllers to firmware version 3.1.2 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 and SIPLUS variants to firmware version 31.1.4 or later
HOTFIXUpdate SIMATIC S7-1500 Software Controller (all variants) to firmware version 31.1.4 or later
HOTFIXUpdate SIPLUS S7-1200 and S7-1500 variants to corresponding fixed versions
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5f032b55-930a-477e-bef8-ad3a60cea89d