Eval Injection Vulnerability in SIMATIC S7-1500

Act Now9.6SSA-452276Mar 10, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SIMATIC S7-1500 devices and related Siemens controllers contain an eval injection vulnerability in the trace file import function of the web interface. An attacker could craft a malicious trace file that, when imported by a legitimate user, injects and executes arbitrary code on the affected device. This affects SIMATIC S7-1500 CPUs (all models from 1511 through 1518), SIMATIC Drive Controller CPUs (1504D TF, 1507D TF), SIMATIC ET 200SP CPUs, ET 200SP Open Controller CPUs, ET 200pro CPUs, SIMATIC S7-1500 Software Controllers, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP variants, and SIPLUS S7-1500 variants. Siemens has released fixes (firmware version 4.1.2 or later) for several product lines but has not provided fixes for many variants, which remain end-of-life or without planned remediation.

What this means

What could happen

An attacker could trick an authorized engineer or operator into importing a malicious trace file via the web interface, allowing the attacker to inject and execute code on the PLC. This could alter process setpoints, stop critical operations, or cause equipment damage.

Who's at risk

Manufacturing and transportation sectors using Siemens SIMATIC S7-1500 PLCs, SIMATIC Drive Controllers, SIMATIC ET 200SP CPUs, ET 200SP Open Controllers, ET 200pro CPUs, SIMATIC S7-1500 Software Controllers, and SIPLUS variants. Any facility relying on these devices for process control, motion control, or distributed I/O should assess exposure.

How it could be exploited

An attacker crafts a malicious trace file and socially engineers a legitimate user (engineer or operator) to import it through the SIMATIC S7-1500 web interface. The code injection occurs during file processing, executing attacker commands with PLC privileges.

Prerequisites

Access to the web interface of the SIMATIC S7-1500 device
Social engineering to convince an authorized user to import a malicious trace file
User interaction required (clicking import button)

remotely exploitable via web interfacerequires user interaction (social engineering)low complexity attackhigh CVSS score (9.6)many products have no fix plannedwide product range affected

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (123)

36 with fix87 pending

ProductAffected VersionsFix Status

SIMATIC Drive Controller CPU 1504D TFAll versionsNo fix yet

SIMATIC Drive Controller CPU 1507D TFAll versionsNo fix yet

SIMATIC ET 200SP CPU 1510SP F-1 PNAll versionsNo fix yet

SIMATIC ET 200SP CPU 1510SP F-1 PN< 4.1.24.1.2

SIMATIC ET 200SP CPU 1510SP-1 PNAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDFor products without available fixes, restrict web interface access to trusted networks and engineering workstations using firewall rules

WORKAROUNDDisable the web interface if not required for operations and monitoring

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected SIMATIC S7-1500 CPUs to firmware version 4.1.2 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate SIMATIC S7-1500 devices from untrusted networks and limit access to authorized engineering personnel only

HARDENINGTrain operators and engineers to avoid importing trace files from untrusted or unexpected sources

CVEs (1)

CVE-2025-40943

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/04e4d512-a889-4bf8-a440-d626ef643118