Open Redirect Vulnerability in SIMATIC S7-1500 and S7-1200 CPUs
Monitor4.7SSA-876787Oct 8, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
An open redirect vulnerability in the web server interface of SIMATIC S7-1500 and S7-1200 CPUs, as well as related Drive Controller, ET 200SP, and software controller variants, allows an attacker to craft a malicious link that redirects a user to an attacker-controlled URL when clicked. The vulnerability affects the web-based management interface of these devices. Exploitation requires a legitimate user to click on an attacker-supplied link. Siemens has released firmware updates for affected product lines.
What this means
What could happen
An attacker could trick an operator or engineer into clicking a link that redirects them to a fake login page or malicious website, potentially leading to credential theft or malware infection. This could compromise the ability to manage or monitor industrial processes safely.
Who's at risk
Manufacturers and transportation operators using SIMATIC S7-1200 and S7-1500 programmable logic controllers should be aware that the web server interfaces on these devices are vulnerable to open redirect attacks. This affects facilities that rely on web-based engineering workstations or remote management of industrial controllers, including systems that perform discrete manufacturing, assembly, material handling, or rail transport automation.
How it could be exploited
An attacker crafts a malicious URL containing an open redirect parameter and sends it to an authorized user (e.g., via email or embedded in a web page). When the user clicks the link, the PLC's web server redirects them to an attacker-controlled site instead of the legitimate destination. The attacker can then harvest credentials or distribute malware.
Prerequisites
- Network access to the web server interface of an affected CPU (typically port 80 or 443)
- A legitimate user must actively click on the attacker-crafted link
- User access to the device's web interface (engineering staff or operators)
Remotely exploitable via web interfaceRequires user interaction (clicking a link)Low complexity attackAffects widely deployed Siemens PLC modelsNo fix available for S7-1500 Software Controller Linux V2
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (144)
143 with fix1 pending
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TF< 3.1.43.1.4
SIMATIC Drive Controller CPU 1507D TF< 3.1.43.1.4
SIMATIC ET 200SP CPU 1510SP F-1 PN< 2.9.82.9.8
SIMATIC ET 200SP CPU 1510SP F-1 PN< 3.1.43.1.4
SIMATIC ET 200SP CPU 1510SP-1 PN< 2.9.82.9.8
Remediation & Mitigation
0/10
Do now
0/1SIMATIC S7-1500 Software Controller Linux V2
WORKAROUNDFor SIMATIC S7-1500 Software Controller Linux V2 (no fix available), restrict network access to the web interface to authorized engineering workstations only using firewall rules or network segmentation
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 7.0 or later
All products
HOTFIXUpdate SIMATIC S7-1500 and ET 200pro CPUs to firmware version 2.9.8 or later
HOTFIXUpdate SIMATIC S7-1500, ET 200SP, Drive Controller, and related CPUs to firmware version 3.1.4 or later
HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.7.0 or later
HOTFIXUpdate SIMATIC S7-1500 and ET 200SP Software Controller (Windows and Industrial OS) to version 21.9.8 (V2) or version 31.1.4 (V3)
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 21.9.8 (V2 Windows) or 31.1.4 (V3 Windows/Industrial OS)
Long-term hardening
0/3HARDENINGDisable remote access to the web management interface on CPUs if not required for operations
HARDENINGRestrict HTTP/HTTPS access to the CPU web interface to trusted internal networks and specific IP addresses
HARDENINGEducate operators and engineering staff not to click on suspicious links, especially those pointing to CPU management interfaces
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/be8bdff2-7b47-419e-a7b8-10a3635de568