Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020)

Monitor7.8SSA-501073May 11, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Intel published vulnerabilities in November 2020 affecting Intel CSME (Converged Security and Management Engine), SPS, TXE, AMT, DAL, and BIOS components (Intel-SA-00391 and Intel-SA-00358, represented by CVE-2020-8744 and CVE-2020-0591). These vulnerabilities affect Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP and SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP across all firmware versions. An attacker with local access could exploit these firmware-level flaws to gain elevated privileges. Siemens is developing BIOS and chipset microcode updates to address these issues and recommends environmental protections and network access controls in the interim.

What this means

What could happen

An attacker with local access to the CPU could exploit Intel firmware vulnerabilities in the platform controller hub (CSME/SPS) or BIOS to gain elevated privileges and potentially modify PLC logic or access sensitive process data. This affects the integrity and availability of automation systems that control industrial processes.

Who's at risk

This vulnerability affects the SIMATIC S7-1500 CPU 1518 MFP (both standard and SIPLUS variants), which are used as the main controller in Siemens automation systems across manufacturing, water treatment, electric utilities, and chemical processing facilities. Any facility using these CPUs for critical process control is affected.

How it could be exploited

An attacker with local or physical access to the S7-1500 CPU 1518 MFP could exploit Intel CSME (Converged Security and Management Engine) vulnerabilities or BIOS flaws to execute code at the firmware level. This could allow the attacker to bypass normal security controls, modify PLC behavior, or extract configuration data that could be used to compromise the automation system further.

Prerequisites

Local or physical access to the CPU 1518 MFP device
User-level privileges on the device operating system or management interface

No patch available yet (vendor working on BIOS updates)Requires local/physical access (reduces but does not eliminate risk in production environments)High CVSS score (7.8)Affects foundational platform security (Intel CPU firmware)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant)All versionsNo fix (EOL)

SIMATIC S7-1500 CPU 1518F-4 PN/DP MFPAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGImplement network segmentation and access controls to restrict local and remote access to the S7-1500 CPU 1518 MFP; follow Siemens operational guidelines for Industrial Security

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXRegularly monitor Siemens security advisories and Intel CPU update channels for BIOS and chipset microcode patches; plan maintenance windows to apply updates when available

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP. Apply the following compensating controls:

HARDENINGImplement physical security controls to prevent unauthorized physical access to the CPU device

CVEs (2)

CVE-2020-0591 CVE-2020-8744

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0906caaf-8b0f-4b40-8be4-cc651da9077b