Multiple Vulnerabilities in LOGO! 8 BM Devices
Act Now9.8SSA-955858Oct 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
LOGO! 8 BM devices contain multiple web-related vulnerabilities (CWE-120 buffer overflow, CWE-20 improper input validation, CWE-1285 improper validation) that allow remote code execution, denial of service, or memory disclosure. All current production versions are affected across all SKUs (12/24/230RCE, 24CE and their "o" variants, plus SIPLUS industrial models). Siemens has not released firmware patches for existing hardware but has released new hardware versions (LOGO! V8.4 BM and SIPLUS LOGO! V8.4 BM families) in which several vulnerabilities are addressed. Network segmentation and access control are the primary mitigations for devices in the field.
What this means
What could happen
An attacker with network access to a LOGO! 8 BM device could execute arbitrary code on the controller, causing it to run unintended automation logic, go offline, or expose process memory. This could disrupt any automated process the device controls—water treatment operations, pump scheduling, electrical distribution logic, or safety-critical functions.
Who's at risk
Water utilities, municipal electric utilities, and any facility using Siemens LOGO! 8 BM logic controllers for process automation should be concerned. These small, affordable PLCs are widely used for pump control, valve actuation, load shedding, and other critical automation tasks. All LOGO! 12/24/230RCE and 24CE variants (including SIPLUS industrial-grade models) in both standard and 'o' (online) versions are affected.
How it could be exploited
An attacker sends a crafted request over the network to the LOGO! 8 BM's web interface (port 80 or 443). The vulnerability in input validation (CWE-20) and buffer handling (CWE-120) allows the malicious payload to execute code directly on the device. No credentials are required—the attacker only needs network reachability to the device's IP address.
Prerequisites
- Network access to the LOGO! 8 BM device on its HTTP/HTTPS port (typically 80 or 443)
- No authentication credentials required
- Device must be reachable from the attacker's network segment
remotely exploitableno authentication requiredlow complexityno patch availableaffects process control and safety-related automation
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (16)
16 EOL
ProductAffected VersionsFix Status
LOGO! 12/24RCEAll versionsNo fix (EOL)
LOGO! 230RCEAll versionsNo fix (EOL)
LOGO! 230RCEoAll versionsNo fix (EOL)
SIPLUS LOGO! 230RCEAll versionsNo fix (EOL)
SIPLUS LOGO! 230RCEoAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGIsolate LOGO! 8 BM devices on a dedicated automation network segment with firewall rules blocking any inbound HTTP/HTTPS connections from untrusted networks
WORKAROUNDImplement network access controls so only authorized engineering workstations can reach the LOGO! device's web interface (e.g., firewall ACLs, VPN, or industrial DMZ)
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXReplace affected LOGO! 8 BM devices with LOGO! V8.4 BM or SIPLUS LOGO! V8.4 BM hardware versions (new product families where multiple vulnerabilities are fixed)
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: LOGO! 12/24RCE, LOGO! 230RCE, LOGO! 230RCEo, SIPLUS LOGO! 230RCE, SIPLUS LOGO! 230RCEo, LOGO! 24CE, LOGO! 24CEo, SIPLUS LOGO! 24CE, SIPLUS LOGO! 24CEo, LOGO! 24RCE, LOGO! 24RCEo, SIPLUS LOGO! 24RCE, SIPLUS LOGO! 24RCEo, LOGO! 12/24RCEo, SIPLUS LOGO! 12/24RCE, SIPLUS LOGO! 12/24RCEo. Apply the following compensating controls:
HARDENINGFollow Siemens operational guidelines for Industrial Security and apply defense-in-depth principles (segmentation, access control, monitoring)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/14873e9b-6036-4fef-b87c-2108490214a2