Improper Access Control Vulnerability in TIA Portal Affecting S7-1200 and S7-1500 CPUs Web Server (Incl. Related ET200 CPUs and SIPLUS variants)
Monitor6.4SSA-350757Apr 12, 2022
Attack VectorLocal
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary
An improper access control vulnerability in the web server of S7-1200 and S7-1500 CPUs (including ET200 and SIPLUS variants) occurs due to incorrect handling of user credentials during project download from TIA Portal. When a project is downloaded to the CPU, the web server's user management configuration can be mishandled, allowing privilege escalation. This vulnerability only affects devices where the web server feature is explicitly activated. Siemens has released updates for V16 and V17; V15 has no fix planned.
What this means
What could happen
An attacker with local access to an engineering workstation could escalate to administrative privileges on the web server of S7-1200 or S7-1500 CPUs, allowing them to modify device configuration, disable safety features, or cause operational disruptions. This only affects devices with the web server feature activated.
Who's at risk
This affects utilities and industrial facilities using Siemens programmable logic controllers (S7-1200, S7-1500 CPUs, including ET200 variants and SIPLUS redundant models) with the web server feature enabled. It impacts personnel who use TIA Portal V15, V16 (before Update 5), or V17 (before Update 2) to program and configure these devices. Water treatment plants, power generation facilities, and other critical infrastructure using these controllers should assess their use of the web server feature.
How it could be exploited
An attacker with administrative or high-privilege access to a workstation running TIA Portal could craft a malicious project file or intercept the download process to a CPU. When the project is downloaded to the device, the malformed web server user credentials are installed, allowing the attacker to log in to the CPU's web interface with elevated privileges and reconfigure the device.
Prerequisites
- High privilege (engineering or administrative) credentials on the TIA Portal workstation
- Physical or network access to the workstation during project download to CPU
- User interaction: the engineer must download/apply a project to the target CPU
- S7-1200 or S7-1500 CPU with web server feature enabled
- Vulnerable TIA Portal version installed on the workstation
Low attack complexity but requires high privilege accessUser interaction required (engineer must download project)Local attack vector onlyAffects safety-critical device configuration if web server is used for remote monitoring/control
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (3)
2 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC STEP 7 (TIA Portal) V16< V16 Update 516 Update 5
SIMATIC STEP 7 (TIA Portal) V17< V17 Update 217 Update 2
SIMATIC STEP 7 (TIA Portal) V15All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDDisable the web server feature on S7-1200 and S7-1500 CPUs if not required for operations
HARDENINGRestrict engineering workstation access to authorized personnel only and enforce strong authentication
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SIMATIC STEP 7 (TIA Portal) V16
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V16 to Update 5 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V17 to Update 2 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a2b2a2d1-e0ba-4c99-84cd-ab3660843907