Deserialization Vulnerability in STEP 7 Safety before V19
Monitor6.3SSA-313039Jul 9, 2024
Attack VectorLocal
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary
A deserialization vulnerability exists in SIMATIC STEP 7 Safety V18 versions before Update 2. The application does not properly restrict the .NET BinaryFormatter when deserializing user-controllable input, allowing an attacker to cause type confusion and execute arbitrary code within the affected application.
What this means
What could happen
An attacker could execute arbitrary code on an engineering workstation running STEP 7 Safety, potentially allowing modification of safety-critical application logic or PLC configurations.
Who's at risk
Engineering teams using Siemens STEP 7 Safety V18 on workstations are affected. This impacts anyone who develops or modifies safety-critical PLC logic, control system configurations, or safety interlocks in manufacturing, utilities, or critical infrastructure.
How it could be exploited
An attacker with local access to an engineering workstation could craft a malicious serialized object and trick a user into opening it within STEP 7 Safety. The application deserializes the object without proper validation, allowing the attacker to execute code with the privileges of the engineer running the application.
Prerequisites
- Local access to the engineering workstation
- STEP 7 Safety V18 (earlier than Update 2) installed
- User interaction required to open/deserialize the malicious object
Low complexity exploitationUser interaction requiredAffects safety system configuration
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
SIMATIC STEP 7 Safety V18All versions < V18 Update 218 Update 2
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC STEP 7 Safety V18 to Update 2 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6038863b-da8d-49d7-a417-ecc9db1bdb5e