Vulnerabilities in EFI variable of SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs

Plan Patch8.2SSA-216014Mar 11, 2025

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in SIMATIC IPCs, SIMATIC Tablet PCs (ITP1000), and SIMATIC Field PGs allow an authenticated attacker with high privileges to alter the secure boot and password configurations through modification of EFI variables. This could enable an attacker to disable security features, inject malicious code into the boot process, or lock out legitimate administrators.

What this means

What could happen

An attacker with engineering-level access could modify BIOS security settings or disable secure boot on industrial controllers, potentially allowing them to inject malicious code at startup or prevent legitimate personnel from accessing the system. This affects remote monitoring, control logic, and operational continuity of connected processes.

Who's at risk

Water utilities and municipal electric systems running SIMATIC industrial PCs (IPC277G, IPC327G, IPC377G, IPC627E, IPC647E, IPC677E, IPC847E, IPC BX/PX/RC/RW series), SIMATIC Tablet PCs (ITP1000), or SIMATIC Field Portable Devices (Field PG M6, M5) for SCADA/HMI, remote monitoring, or field engineering stations are affected. This applies to any organization using Siemens hardware for process automation or grid control.

How it could be exploited

An attacker must first gain physical or remote access to the industrial PC's operating system with high-level (administrative/engineering) privileges. Once authenticated, they can access EFI variables in firmware to disable secure boot mechanisms, modify password configurations, or alter BIOS settings that protect the system. This could allow persistence or bypass of security controls on subsequent boots.

Prerequisites

Local or remote administrative/engineering-level credentials
Access to the SIMATIC IPC/Tablet/Field PG operating system
Ability to execute privileged commands that modify EFI variables

No authentication required (high privilege context assumed, but attacker must already be authenticated)Low complexity attack once inside the systemNo patch available for multiple product linesAffects industrial control system infrastructure

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (32)

19 with fix13 EOL

ProductAffected VersionsFix Status

SIMATIC IPC3000 SMART V3All versionsNo fix (EOL)

SIMATIC IPC477E PROAll versionsNo fix (EOL)

SIMATIC IPC RW-543AAll versionsNo fix (EOL)

SIMATIC IPC277G< 28.01.1428.01.14

SIMATIC IPC277G PRO< 28.01.1428.01.14

Remediation & Mitigation

Update to V25.02.15 or later version Update to V28.01.14 or later version Update to V29.01.07 or later version Update to V31.01.07 or later version Update to V32.01.04 or later version

CVEs (2)

CVE-2024-56181 CVE-2024-56182

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d07dd7d5-1434-40c4-b8a7-27e42746a4de