Web Vulnerabilities in SIMATIC NET CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs
Monitor6.3SSA-603476Nov 21, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
SIMATIC CP 343-1 Advanced, CP 443-1 Advanced, and SIMATIC S7-300/S7-400 CPU family devices are affected by web vulnerabilities (CWE-614: sensitive cookie transmission, CWE-345: insufficient verification of data authenticity). One vulnerability could allow remote attackers to perform operations as an authenticated user under certain conditions. Affected versions: CP 343-1 < V3.0.53, CP 443-1 < V3.2.17, S7-300 < V3.X.18, S7-400 PN/DP all versions.
What this means
What could happen
An attacker who gains access to the engineering web interface could perform unauthorized actions with authenticated user privileges, potentially modifying PLC configuration, process parameters, or operational logic on these controllers.
Who's at risk
Manufacturing and utility operators responsible for SIMATIC S7-300/S7-400 control systems and their associated CP 343-1/CP 443-1 network modules. This includes water treatment facilities, electric utilities, and discrete/process manufacturing plants that rely on these Siemens PLC platforms for critical automation, logic control, and safety-critical functions.
How it could be exploited
An attacker with network access to the CP 343-1/CP 443-1 web interface or S7-300/S7-400 engineering web server could exploit weak cookie transmission or data authenticity verification to impersonate an authenticated user and execute commands or alter controller settings.
Prerequisites
- - Network access to the web interface on TCP port typically 80 or 443 - Knowledge of a valid authenticated user session or ability to intercept/replay session credentials - User interaction (phishing or social engineering to trick an engineer into clicking a malicious link)
- Remotely exploitable
- Affects critical PLC devices in manufacturing and utility operations
- Web interface may be reachable from engineering workstations or IT networks
- Low authentication bypass complexity
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
3 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC CP 343-1 Advanced (incl. SIPLUS variants)< V3.0.533.0.53 or any later version
SIMATIC CP 443-1 Advanced (incl. SIPLUS variants)< V3.2.173.2.17 or any later version
SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants)< V3.X.183.X.18
SIMATIC S7-400 PN/DP CPU family (incl. SIPLUS variants)All versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDFor SIMATIC S7-400 PN/DP CPU (no patch available): restrict network access to the web interface using firewall rules, allowing only trusted engineering workstation IP addresses on port 80 and 443
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC CP 343-1 Advanced to firmware version 3.0.53 or later
HOTFIXUpdate SIMATIC CP 443-1 Advanced to firmware version 3.2.17 or later
HOTFIXUpdate SIMATIC S7-300 CPU to firmware version 3.X.18 or later
Mitigations - no patch available
0/3SIMATIC S7-400 PN/DP CPU family (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor SIMATIC S7-400 PN/DP CPU: disable the web interface if not required for operations and configure access only via secure VPN or air-gapped engineering network
HARDENINGImplement network segmentation to isolate engineering interfaces from general IT network traffic and untrusted users
HARDENINGEnforce strong authentication credentials on all PLC web interfaces and require periodic password changes for engineering accounts
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e1ccbfa5-c345-4374-98f2-41dca7fc6b04