OTPulse
FeedAboutContact

Authentication Vulnerability in SIMATIC ET 200SP Communication Processors

Act Now9.8SSA-486936Oct 14, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMATIC ET 200SP communication processors (CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS variants) contain an authentication bypass vulnerability that allows an unauthenticated remote attacker to access configuration data including network parameters, device settings, and operational configuration. Affected firmware versions are all releases prior to 2.4.24. Siemens has released firmware version 2.4.24 and later to correct this vulnerability.

What this means
What could happen
An attacker without credentials could remotely access configuration data on SIMATIC ET 200SP communication processors, potentially exposing network parameters, device settings, or control logic that could be used to plan further attacks on the control system.
Who's at risk
Transportation operators (rail systems, traffic management) using SIMATIC ET 200SP communication processors in their distributed I/O racks. This includes any facility using CP 1542SP-1, CP 1543SP-1, or SIPLUS variants of these modules for remote field I/O coordination or inter-station communication.
How it could be exploited
An attacker on the network sends an unauthenticated request to the communication processor on its default listening port. The device fails to enforce authentication before serving configuration data, allowing the attacker to read sensitive settings without providing credentials.
Prerequisites
  • Network access to the communication processor's management or data port (typically 102/TCP for S7 protocol or 161/UDP for SNMP)
  • The device is reachable from the attacker's network segment
remotely exploitableno authentication requiredlow complexityaffects configuration data exposure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1542SP-1< 2.4.242.4.24
SIMATIC CP 1542SP-1 IRC< 2.4.242.4.24
SIMATIC CP 1543SP-1< 2.4.242.4.24
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL< 2.4.242.4.24
SIPLUS ET 200SP CP 1543SP-1 ISEC< 2.4.242.4.24
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL< 2.4.242.4.24
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGImplement network-level access controls to restrict unauthenticated traffic to communication processor management ports from untrusted network segments
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SIMATIC CP 1542SP-1
HOTFIXUpdate SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS variants to firmware version 2.4.24 or later
Long-term hardening
0/1
HARDENINGSegment the industrial network so that only authorized engineering workstations and PLCs can reach communication processor ports
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/5879c80d-cf87-4246-846b-d68da45f6442
Authentication Vulnerability in SIMATIC ET 200SP Communication Processors | CVSS 9.8 - OTPulse