Remote Code Execution Vulnerability in Multiple SIMATIC Software Products
Plan Patch7.8SSA-641963Jul 13, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple SIMATIC Software products contain a vulnerability in their handling of project files that could allow an attacker to execute arbitrary code on engineering workstations. Affected products include SIMATIC PCS 7 (all versions up to V8.2 with no fix; V9.0 SP3 fixes V9.0 earlier versions), SIMATIC PDM (fixed in V9.2), SIMATIC STEP 7 V5.X (fixed in V5.6 SP2 HF3), and SINAMICS STARTER (fixed in V5.4 HF2). The vulnerability stems from improper handling of crafted project files (CWE-120: Buffer copy without checking size of input). An attacker could manipulate a project file and trick an engineer into opening it, leading to code execution with the user's privileges on the engineering workstation.
What this means
What could happen
An attacker with local access to an engineering workstation could manipulate SIMATIC project files to execute arbitrary code, potentially allowing them to alter logic in PLCs, safety systems, or process controllers that control critical infrastructure operations.
Who's at risk
This affects organizations using Siemens SIMATIC software on engineering workstations, including those running SIMATIC PCS 7 (process control systems), SIMATIC PDM (process diagnostics), SIMATIC STEP 7 (PLC programming), and SINAMICS STARTER (drive engineering) software. Water authorities, electric utilities, and other critical infrastructure operators that use these tools to program and maintain PLCs, safety controllers, and process systems are at risk.
How it could be exploited
An attacker would need to place a malicious project file on an engineering workstation running vulnerable SIMATIC software (PCS 7, PDM, or STEP 7). When an engineer opens the project file, the vulnerability in the software's file handling allows the attacker's code to execute with the engineer's privileges. From there, the attacker could modify PLC programs or interact with connected control systems.
Prerequisites
- Local file access to the engineering workstation (USB, network share, or email attachment)
- User with SIMATIC software installed must open the malicious project file
- Affected version of SIMATIC PCS 7, PDM, STEP 7, or SINAMICS STARTER installed on the workstation
Low complexityRequires local file access (not remotely exploitable)No authentication bypassedAffects engineering workstations that may interact with critical control systemsNo fix available for SIMATIC PCS 7 V8.2 and earlier
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC PCS 7 V9.0< V9.0 SP39.0 SP3
SIMATIC PDM< V9.29.2
SIMATIC STEP 7 V5.X< V5.6 SP2 HF35.6 SP2 HF3
SINAMICS STARTER (containing STEP 7 OEM version)< V5.4 HF25.4 HF2
SIMATIC PCS 7 V8.2 and earlierAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
SIMATIC PDM
HOTFIXUpdate SIMATIC PDM to version 9.2 or later
All products
HOTFIXUpdate SIMATIC PCS 7 to version 9.0 SP3 or later
HOTFIXUpdate SIMATIC STEP 7 to version 5.6 SP2 HF3 or later
HOTFIXUpdate SINAMICS STARTER to version 5.4 HF2 or later
Mitigations - no patch available
0/2SIMATIC PCS 7 V8.2 and earlier has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor SIMATIC PCS 7 V8.2 and earlier where no fix is available, restrict file access controls on engineering workstations and implement file validation procedures before opening project files from untrusted sources
HARDENINGImplement network segmentation to limit access to engineering workstations from general corporate networks and untrusted external sources
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4f7679c5-55b7-4ec9-9c57-be51acb197aa