Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices
Act Now10SSA-517377Jul 12, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities exist in the SRCS (SINEMA Remote Connect Server) VPN feature implemented in Siemens SIMATIC CP communication modules. The vulnerabilities allow an attacker to execute arbitrary code with elevated privileges when the VPN feature is enabled. The feature is disabled by default but can be activated for remote access scenarios. The vulnerabilities affect numerous SIMATIC CP models and SIPLUS variants across different architecture versions. Siemens has released firmware updates addressing all identified vulnerabilities across the product lines.
What this means
What could happen
An attacker with network access to the SRCS VPN feature could execute arbitrary code with elevated privileges on the SIMATIC CP communication module, potentially gaining control of process logic and field device operations.
Who's at risk
Transportation authorities and utilities operating SIMATIC S7-1200/S7-1500 automation systems with remote VPN capability are affected. This includes devices in rail automation, traffic control, and industrial applications that rely on Siemens SIMATIC CP communication modules for remote configuration and maintenance. Organizations using SIEMENS SINEMA Remote Connect Server for remote access over VPN are at highest risk.
How it could be exploited
An attacker sends a specially crafted network request to the SRCS VPN service listening on the SIMATIC CP device. If the SRCS VPN feature is enabled, the device processes the request without proper validation and executes arbitrary code with elevated system privileges, allowing the attacker to read/modify process setpoints, alter ladder logic, or stop critical control functions.
Prerequisites
- SRCS VPN feature must be enabled on the affected SIMATIC CP device (not enabled by default)
- Network reachability to the SIMATIC CP device on the port used by SRCS VPN service
- No credentials or authentication required to trigger the vulnerability
Remotely exploitable over networkNo authentication requiredLow attack complexityAffects control system communication devicesMultiple affected device models across SIMATIC and SIPLUS product linesElevated privilege execution possible
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (15)
15 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1242-7 V2< V3.3.463.3.46
SIMATIC CP 1243-1< V3.3.463.3.46
SIMATIC CP 1243-7 LTE EU< V3.3.463.3.46
SIMATIC CP 1243-7 LTE US< V3.3.463.3.46
SIMATIC CP 1243-8 IRC< V3.3.463.3.46
SIMATIC CP 1542SP-1 IRC≥ V2.0 < V2.2.282.2.28
SIMATIC CP 1543-1< V3.0.223.0.22
SIMATIC CP 1543SP-1≥ V2.0 < V2.2.282.2.28
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDDisable the SRCS VPN feature if not actively required for remote maintenance or management operations
HARDENINGRestrict network access to SIMATIC CP devices to authorized management networks only; apply firewall rules to block unauthorized access to SRCS VPN service ports
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
SIMATIC CP 1242-7 V2
HOTFIXUpdate SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-7 LTE EU, CP 1243-7 LTE US, and CP 1243-8 IRC to firmware version 3.3.46 or later
SIMATIC CP 1542SP-1 IRC
HOTFIXUpdate SIMATIC CP 1542SP-1 IRC, CP 1543SP-1, SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, SIPLUS ET 200SP CP 1543SP-1 ISEC, and SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL to firmware version 2.2.28 or later
SIMATIC CP 1543-1
HOTFIXUpdate SIMATIC CP 1543-1 and SIPLUS NET CP 1543-1 to firmware version 3.0.22 or later
SIPLUS NET CP 1242-7 V2
HOTFIXUpdate SIPLUS NET CP 1242-7 V2, SIPLUS S7-1200 CP 1243-1, and SIPLUS S7-1200 CP 1243-1 RAIL to firmware version 3.3.46 or later
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/764918f1-6e78-48c2-85a8-268090199a78