Incorrect Authorization Vulnerability in Industrial Products
Monitor5.3SSA-865327Aug 10, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An incorrect authorization vulnerability allows an unauthenticated attacker to read PLC variables from affected Siemens devices without proper authentication under certain circumstances. The vulnerability affects SIMATIC Drive Controller, S7-1200, S7-1500, ET 200SP Open Controller, TIM 1531 IRC, and SIMATIC S7 PLCSIM Advanced.
What this means
What could happen
An attacker could read sensitive PLC variables (process data, setpoints, device state) without authentication, potentially revealing process information or system configuration that could be used to plan further attacks or disrupt operations.
Who's at risk
Manufacturing facilities using Siemens SIMATIC automation controllers should be concerned, specifically those operating S7-1200, S7-1500, Drive Controller, ET 200SP Open Controller, or TIM 1531 IRC devices. This affects both production PLCs and simulation/testing environments using PLCSIM Advanced.
How it could be exploited
An unauthenticated attacker with network access to the PLC can issue requests to read PLC variables directly. The device fails to enforce proper authorization checks, allowing the attacker to extract variable values without providing credentials.
Prerequisites
- Network access to the affected PLC on the data communication port (typically port 502 for S7 or port 161 for TIM devices)
- Device must be configured to allow remote variable access
- No authentication credentials required
Remotely exploitableNo authentication requiredLow complexityInformation disclosure (variable read)Affects process control devices
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (7)
6 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC Drive Controller family< V2.9.22.9.2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V21.921.9
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)Version V4.44.4.1
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)> V2.5 < V2.9.22.9.2
SIMATIC S7-1500 Software Controller> V2.5 < V21.921.9
TIM 1531 IRC (incl. SIPLUS NET variants)Version V2.12.2
SIMATIC S7 PLCSIM Advanced> V2 < V4No fix (EOL)
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict network access to PLC data ports using firewall rules; allow variable access only from authorized engineering workstations
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 21.9 or later
All products
HOTFIXUpdate SIMATIC Drive Controller to version 2.9.2 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 21.9 or later
HOTFIXUpdate SIMATIC S7-1200 CPU to version 4.4.1 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family to version 2.9.2 or later
HOTFIXUpdate TIM 1531 IRC to version 2.2 or later
Mitigations - no patch available
0/1SIMATIC S7 PLCSIM Advanced has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate affected PLCs on a dedicated control network segment not directly accessible from corporate network or internet until firmware updates are applied
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4c73e316-0e69-42fe-b2ed-c2400faeb15d