Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families
Plan Patch8.1SSA-434534May 28, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability (CWE-119) that could allow an attacker with network access to write arbitrary data and code to protected memory areas or read sensitive data. An attacker could modify control logic, alter process parameters, disable safety functions, or exfiltrate credentials and proprietary logic for further attacks. Siemens has released firmware updates for most affected products. The SIMATIC ET 200SP Open Controller CPU 1515SP PC (non-PC2 variant) will not receive a patch and requires alternative mitigations.
What this means
What could happen
An attacker with network access to a SIMATIC PLC could bypass memory protections to write malicious code or data to protected areas, potentially modifying logic, altering control setpoints, or disabling safety functions. They could also read sensitive data like logic or credentials to plan follow-up attacks.
Who's at risk
Operators of SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs), industrial drive controllers, and related ET200SP controllers used in manufacturing plants, water treatment facilities, power generation, and process automation should review this advisory. Any facility using Siemens automation controllers for critical process control or safety functions is affected.
How it could be exploited
An attacker sends specially crafted network packets to the PLC's engineering port (typically Ethernet port 102 for S7 communication). By exploiting the memory protection bypass, the attacker can write arbitrary code or data directly into memory regions that should be protected, allowing modification of the running control program or safety logic.
Prerequisites
- Network access to the PLC on the engineering/S7 communication port (typically port 102)
- No credentials required
- The PLC must be in a state where memory writes are processed (device online)
remotely exploitableno authentication requiredlow complexitymemory protection bypassaffects safety-critical systemsactively exploited by code with public details available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (7)
6 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC Drive Controller family< V2.9.22.9.2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V21.921.9
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)< V4.5.04.5.0
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)< V2.9.22.9.2
SIMATIC S7-1500 Software Controller< V21.921.9
SIMATIC S7-PLCSIM Advanced< V4.04.0
SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants)All versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/2WORKAROUNDFor SIMATIC ET 200SP Open Controller CPU 1515SP PC (non-PC2 variant) where no fix is available, implement network segmentation to restrict access to the PLC's engineering port from untrusted networks
HARDENINGRestrict network access to S7 communication port 102 and engineering interfaces to authorized personnel and networks only
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 21.9 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 4.0 or later
All products
HOTFIXUpdate SIMATIC Drive Controller to firmware version 2.9.2 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to firmware version 21.9 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family to firmware version 4.5.0 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family to firmware version 2.9.2 or later
Mitigations - no patch available
0/1SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement air-gapping or strict firewall rules between the PLC network and corporate/external networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1b53b825-86db-4851-b4a8-025987aef77d