Multiple Vulnerabilities in Embedded FTP Server of SIMATIC CP Modules

Act Now8.8SSA-679335Aug 10, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SIMATIC CP 1543-1 and CP 1545-1 communication processor modules contain multiple vulnerabilities in the embedded ProFTPD component. An attacker could exploit these flaws to access sensitive information and execute arbitrary code on the device. The vulnerabilities stem from CWE-125 (out-of-bounds read) and CWE-416 (use-after-free) conditions in the FTP server implementation.

What this means

What could happen

An attacker with network access could read sensitive data from the communication processor or execute commands on it, potentially disrupting network communications for SIMATIC automation systems or accessing engineering data and credentials stored on the device.

Who's at risk

Water authorities, electric utilities, and other critical infrastructure operators using SIEMENS SIMATIC CP 1543-1 or CP 1545-1 communication processors in their automation networks. These devices are commonly used to connect programmable logic controllers (PLCs) to industrial networks or remote monitoring systems. Engineers and automation technicians who manage these systems are also affected by the risk of credential theft.

How it could be exploited

An attacker on the network connects to the FTP server port on the CP module using valid credentials (escalated from low-privilege access). The attacker sends specially crafted FTP commands that trigger the out-of-bounds read or use-after-free condition, allowing code execution or information disclosure. No special network position or system knowledge is required beyond basic FTP client usage.

Prerequisites

Valid user credentials for the FTP service on the CP module
Network access to the FTP port (typically port 21) on the SIMATIC CP device
The device must be running a vulnerable firmware version (CP 1543-1 < V3.0 or CP 1545-1 < V1.1)

Remotely exploitable from networkRequires valid credentials (reduces but does not eliminate risk)CVSS score 8.8 (high severity)EPSS score 68.9% (likely to be exploited in the wild)Can lead to code execution and data exfiltrationAffects industrial communication infrastructure

Exploitability

High exploit probability (EPSS 68.9%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SIMATIC CP 1543-1 (incl. SIPLUS variants)< V3.03.0

SIMATIC CP 1545-1< V1.11.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the FTP port (port 21) on CP modules using firewall rules to limit exposure to trusted engineering workstations only

HARDENINGChange default or weak FTP credentials on all CP modules to complex passwords and enforce access controls

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SIMATIC CP 1545-1

HOTFIXUpdate SIMATIC CP 1545-1 to firmware version 1.1 or later

All products

HOTFIXUpdate SIMATIC CP 1543-1 to firmware version 3.0 or later

Long-term hardening

0/1

HARDENINGSegment SIMATIC network from general corporate IT network to reduce attacker path to CP modules

CVEs (2)

CVE-2020-9272 CVE-2020-9273

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5df3da71-8e69-4964-b799-e6d4e906327d