Denial of Service Vulnerability in SIMATIC S7 CPU Families

Monitor5.3SSA-431678Feb 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC S7 CPU families contain a denial of service vulnerability in the embedded web server. An attacker can send a specially crafted HTTP request to crash the web server process, causing the device to stop responding and lose control functionality until manually rebooted. The vulnerability affects a wide range of S7-300, S7-1200, S7-400, ET 200S, ET 200pro, and WinAC RTX controllers. Siemens has issued firmware updates for most S7-300 and S7-1200 variants but has not released fixes for S7-400 V6 and earlier or WinAC RTX 2010 products. CVSS 5.3 (medium severity) with low exploit probability (0.6% EPSS).

What this means

What could happen

An attacker could send a malformed HTTP request to the web server on these controllers, causing them to stop responding and halting production processes until the device is manually rebooted.

Who's at risk

Water utilities and municipal electric systems using Siemens SIMATIC S7 family controllers (S7-300, S7-1200, S7-400, ET 200S, ET 200pro, and WinAC RTX variants) for pump stations, treatment processes, and distribution control. This affects both standard and SIPLUS hardened variants used in outdoor or harsh environments.

How it could be exploited

An attacker with network access to the controller's web server (typically port 80/443 on Ethernet-connected SIMATIC devices) sends a specially crafted HTTP request. The malformed request triggers a crash in the web server process, which prevents the CPU from responding to legitimate commands and monitoring.

Prerequisites

Network access to the controller on port 80 or 443 (HTTP/HTTPS)
No authentication required
Controller's web server must be enabled (default configuration)

Remotely exploitableNo authentication requiredLow complexity attackAffects process availability—denial of service causes loss of monitoring and controlNo patch available for S7-400 V6 and WinAC RTX 2010 products

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (27)

23 with fix4 pending

ProductAffected VersionsFix Status

SIMATIC WinAC RTX 2010All versionsNo fix yet

SIMATIC WinAC RTX F 2010All versionsNo fix yet

SIPLUS ET 200S IM151-8 PN/DP CPU< V3.X.173.X.17

SIPLUS ET 200S IM151-8F PN/DP CPU< V3.X.173.X.17

SIPLUS S7-300 CPU 314C-2 PN/DP< V3.X.173.X.17

Remediation & Mitigation

0/5

Do now

0/2

SIMATIC WinAC RTX 2010

WORKAROUNDFor SIMATIC WinAC RTX 2010 and S7-400 PN/DP (V6 and below) where no firmware update is available, restrict network access to the web server via firewall rules—only allow HTTP/HTTPS connections from authorized engineering workstations

All products

HARDENINGDisable the web server on affected controllers if it is not required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.1 or later

HOTFIXUpdate SIMATIC S7-300, ET 200S, ET 200pro, and SIPLUS IM151/314C/315/317/319 CPUs to firmware version 3.X.17 or later

Long-term hardening

0/1

HARDENINGSegment these controllers on a separate VLAN or protected network zone away from untrusted networks

CVEs (1)

CVE-2019-13940

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9c52006c-f486-4564-8d4a-0493e741606a