Author: Admin @CloudCentric

Elseta Vinci Protocol Analyzer

Written by Admin @CloudCentric on February 20, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Elseta
Equipment: Vinci Protocol Analyzer
Vulnerability: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges and perform code execution on the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Elseta products are affected:

Vinci Protocol Analyzer: Versions prior to 3.2.3.19

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system.

CVE-2025-1265 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1265. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Lithuania

3.4 RESEARCHER

Nguyen Huu Thien Duc reported this vulnerability to CISA.

4. MITIGATIONS

Elseta recommends affected users update to version 3.2.3.19 or later. Contact Elseta for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 20, 2025: Initial Publication

Dingtian DT-R0 Series

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Dingtian
Equipment: DT-R0 Series
Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify the device settings and gain administrator access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Dingtian DT-R0 Series are affected:

DT-R002: Version V3.1.3044A
DT-R008: Version V3.1.1759A
DT-R016: Version V3.1.2776A
DT-R032: Version V3.1.3826A

3.2 Vulnerability Overview

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page.

CVE-2025-1283 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1283. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Cumhur Kizilari (Zeus) reported this vulnerability to CISA.

4. MITIGATIONS

Dingtian has not responded to requests to work with CISA to mitigate this vulnerability, thus no mitigation is available at this time. Users of affected versions of Dingtian DT-R002 are invited to contact Dingtian customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

Siemens SIMATIC PCS neo and TIA Administrator

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC PCS neo and TIA Administrator
Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

SIMOCODE ES V19: Versions prior to V19 Update 1
TIA Administrator: Versions 3.0.4 and prior
SIMATIC PCS neo V4.1: Versions prior to V4.1 Update 2
SIMATIC PCS neo V4.0: All versions
SIRIUS Safety ES V19 (TIA Portal): Versions prior to V19 Update 1
SIRIUS Soft Starter ES V19 (TIA Portal): Versions prior to V19 Update 1
SIMATIC PCS neo V5.0: Versions prior to V5.0 Update 1

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT SESSION EXPIRATION CWE-613

Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

CVE-2024-45386 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45386. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Close browser and client after logout and remove all locally stored session tokens
SIMATIC PCS neo V4.0: Currently no fix is planned
SIMOCODE ES V19: Update to V19 Update 1 or later version
SIRIUS Soft Starter ES V19 (TIA Portal): Update to V19 Update 1 or later version
SIRIUS Safety ES V19 (TIA Portal): Update to V19 Update 1 or later version
TIA Administrator: Update to V3.0.4 or later version
SIMATIC PCS neo V4.1: Update to V4.1 Update 2 or later version
SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-342348 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

Outback Power Mojave Inverter

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Outback Power
Equipment: Mojave Inverter
Vulnerabilities: Use of GET Request Method With Sensitive Query Strings, Exposure of Sensitive Information to an Unauthorized Actor, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access sensitive data or inject commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Outback Power Mojave Inverter, a system for managing power in a residential grid-connected battery backup system, are affected:

Outback Power Mojave Inverter: All versions

3.2 VU;NERABILITY OVERVIEW

3.2.1 Use of GET Request Method With Sensitive Query Strings CWE-598

The Mojave Inverter uses the GET method for sensitive information.

CVE-2025-26473 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated forCVE-2025-26473. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

An attacker may modify the URL to discover sensitive information about the target network.

CVE-2025-25281 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated forCVE-2025-25281. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Improper Neutralization of Special Elements used in a Command CWE-77

An attacker may inject commands via specially-crafted post requests.

CVE-2025-24861 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated forCVE-2025-24861. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.

4. MITIGATIONS

The Mojave Inverter was a product of Enersys. When Outback Power was split off from Enersys recently, Mojave Inverter was moved to Outback Power, but without the resources to maintain the product. Outback Power may discontinue this product and has not yet addressed these vulnerabilities. CISA recommends disabling the networking features of this product until a replacement product can be acquired.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Disable un-used functions.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

Siemens SIMATIC

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC
Vulnerability: Observable Discrepancy

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to identify valid usernames.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following SIMATIC products are affected:

Siemens SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): vers:all/<V4.7
Siemens SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): vers:all/<V4.7
Siemens SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): vers:all/>=V30.1.0
Siemens SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-PLCSIM Advanced: vers:all/>=V6.0|<V7.0
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): vers:all/>=V3.1.0|<V3.1.2
Siemens SIMATIC S7-1500 Software Controller: vers:all/>=V30.1.0

3.2 VULNERABILITY OVERVIEW

3.2.1 OBSERVABLE DISCREPANCY CWE-203

The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames.

CVE-2023-37482 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-37482. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

David Henrique Estevam de Andrade reported this vulnerability to Siemens.
Siemens then reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants), SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0), SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0), SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): Disable HTTP (Port 80/tcp) and provide web service access through HTTPS (Port 443/tcp) only; the vulnerability is considered as only exploitable via HTTP.
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants), SIMATIC S7-1500 Software Controller: Currently no fix is available.
SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0), SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0), SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): Update to V3.1.2 or a later version.
SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Update to V3.1.2 or later version.
SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0), SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0), SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0), SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0), SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Update to V4.7 or a later version.
SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0), SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0), SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0), SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Update to V4.7 or a later version.
SIMATIC S7-PLCSIM Advanced: Update to V7.0 or a later version.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-195895 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

ORing IAP-420

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: ORing
Equipment: IAP-20
Vulnerabilities: Cross-site Scripting, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to invoke commands to compromise the device via the management interface.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following ORing products are affected:

IAP-420: Versions 2.01e and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A stored cross-site scripting can be triggered by placing JavaScript code into the SSID input field of the web interface. An attacker could exploit this vulnerability by luring an authenticated user to visit a malicious website.

CVE-2024-5410 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5410. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The filename parameter of a configuration file upload is prone to a command injection vulnerability. This vulnerability can only be exploited if a user is authenticated to the web interface. An attacker could invoke commands and gain full control over the device.

CVE-2024-5411 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5411. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

CISA discovered public proof of concept (PoC) as authored by Thomas Weber of CyberDanube and reported it to ORing.

4. MITIGATIONS

ORing is aware of the vulnerabilities and is working to produce a fix. For more information, contact ORing directly.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

Siemens Teamcenter

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Teamcenter
Vulnerability: URL Redirection to Untrusted Site (‘Open Redirect’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to redirect the legitimate user to an attacker-controlled URL to steal valid session data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

Siemens Teamcenter: All versions prior to V14.3.0.0

3.2 VULNERABILITY OVERVIEW

3.2.1 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

The SSO login service of affected applications accepts user-controlled input that could specify a link to an external site. This could allow an attacker to redirect the legitimate user to an attacker-controlled URL to steal valid session data. For a successful exploit, the legitimate user must actively click on an attacker-crafted link.

CVE-2025-23363 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Nicolo Vinci reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Teamcenter: Do not click on links from untrusted sources
Teamcenter: Update to V14.3.0.0 or later version

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-656895 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

Siemens SIMATIC S7-1200 CPU Family

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC S7-1200 CPU Family
Vulnerabilities: Improper Resource Shutdown or Release, Improper Validation of Syntactic Correctness of Input

2. RISK EVALUATION

The affected devices do not correctly process certain special crafted packets sent to Port 80/tcp and Port 102/tcp, which could allow an attacker to cause a denial of service in the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): vers:all/<V4.7
Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): vers:all/<V4.7
Siemens SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): vers:all/<V4.7

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

The affected devices do not correctly process certain special crafted packets sent to Port 80/tcp, which could allow an unauthenticated attacker to cause a denial of service in the device.

CVE-2025-24811 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24811. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286

The affected devices do not correctly process certain special crafted packets sent to Port 102/tcp, which could allow an attacker to cause a denial of service in the device.

CVE-2025-24812 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24812. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Gao Jian coordinated the disclosure of CVE-2025-24812 with Siemens.
Siemens then reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0), SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0), SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0), SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0), SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Update to V4.7 or a later version.
SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0), SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0), SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0), SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Update to V4.7 or a later version.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-224824 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

Siemens SIPROTEC 5 Devices

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIPROTEC 5 Devices
Vulnerability: Use of Default Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to retrieve sensitive information of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

Siemens SIPROTEC 5 7VE85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SS85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2): All versions prior to V9.90
Siemens SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2): All versions prior to V9.90
Siemens SIPROTEC 5 7UT82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7UT85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 6MD84 (CP300): All versions prior to V9.90
Siemens SIPROTEC 5 7SJ82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7SL86 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7KE85 (CP300): Versions later than and including V8.80
Siemens SIPROTEC 5 7SJ86 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 6MD86 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SX82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7SL87 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SA82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7SL82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7SJ85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7ST85 (CP300): Versions later than and including V8.80
Siemens SIPROTEC 5 7ST86 (CP300): All versions
Siemens SIPROTEC 5 7SD82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7SK85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 Compact 7SX800 (CP050): Version V9.50 up to but not including V9.90
Siemens SIPROTEC 5 6MD85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 6MU85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SK82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7SA87 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7VK87 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7VU85 (CP300): All versions prior to V9.90
Siemens SIPROTEC 5 7SA86 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SD87 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 Communication Module ETH-BD-2FO: Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 6MD89 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7UM85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SJ81 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7UT86 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SX85 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7UT87 (CP300): Version V8.80 up to but not including V9.90
Siemens SIPROTEC 5 7SY82 (CP150): All versions prior to V9.90
Siemens SIPROTEC 5 7SD86 (CP300): Version V8.80 up to but not including V9.90

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF DEFAULT CREDENTIALS CWE-1392

Affected devices do not properly validate SNMP GET requests. This could allow an unauthenticated, remote attacker to retrieve sensitive information of the affected devices with SNMPv2 GET requests using default credentials.

CVE-2024-54015 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-54015. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

All affected products: Restrict access to port 161/udp to trusted IP addresses only.
All affected products: Disable the SNMP service running in the communication modules, if not used.
SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300): Currently no fix is available.
SIPROTEC 5 Compact 7SX800 (CP050): Update to V9.90 or later version.
SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UT82 (CP150): Update to V9.90 or later version.
SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300): Update to V9.90 or later version.
SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2), SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2), SIPROTEC 5 Communication Module ETH-BD-2FO: Update to V9.90 or later version.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-767615 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2025: Initial Publication

Siemens SIPROTEC 5

Written by Admin @CloudCentric on February 13, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: SIPROTEC 5
Vulnerability: Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with physical access to read the sensitive information from the filesystem of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

Siemens SIPROTEC 5 7SK85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SJ81 (CP100): vers:all/*
Siemens SIPROTEC 5 7SL86 (CP300): vers:all/*
Siemens SIPROTEC 5 7SL86 (CP200): vers:all/*
Siemens SIPROTEC 5 7SJ86 (CP300): vers:all/*
Siemens SIPROTEC 5 7SK82 (CP100): vers:all/*
Siemens SIPROTEC 5 6MD84 (CP300): vers:all/*
Siemens SIPROTEC 5 7SA87 (CP200): vers:all/*
Siemens SIPROTEC 5 7ST85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SD87 (CP200): vers:all/*
Siemens SIPROTEC 5 7UT87 (CP300): vers:all/*
Siemens SIPROTEC 5 6MD89 (CP300): vers:all/*
Siemens SIPROTEC 5 7SD82 (CP100): vers:all/*
Siemens SIPROTEC 5 6MD85 (CP300): vers:all/*
Siemens SIPROTEC 5 7ST86 (CP300): vers:all/*
Siemens SIPROTEC 5 7SJ82 (CP150): vers:all/*
Siemens SIPROTEC 5 7UT86 (CP200): vers:all/*
Siemens SIPROTEC 5 7SX85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SD87 (CP300): vers:all/*
Siemens SIPROTEC 5 7VU85 (CP300): vers:all/*
Siemens SIPROTEC 5 6MU85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SD86 (CP300): vers:all/*
Siemens SIPROTEC 5 7UT86 (CP300): vers:all/*
Siemens SIPROTEC 5 7VK87 (CP200): vers:all/*
Siemens SIPROTEC 5 7UT85 (CP300): vers:all/*
Siemens SIPROTEC 5 7UT82 (CP150): vers:all/*
Siemens SIPROTEC 5 7SA87 (CP300): vers:all/*
Siemens SIPROTEC 5 7SJ81 (CP150): vers:all/*
Siemens SIPROTEC 5 7SJ82 (CP100): vers:all/*
Siemens SIPROTEC 5 7SA82 (CP100): vers:all/*
Siemens SIPROTEC 5 7UT87 (CP200): vers:all/*
Siemens SIPROTEC 5 7SX82 (CP150): vers:all/*
Siemens SIPROTEC 5 7SD86 (CP200): vers:all/*
Siemens SIPROTEC 5 7SL87 (CP300): vers:all/*
Siemens SIPROTEC 5 6MD85 (CP200): vers:all/*
Siemens SIPROTEC 5 7ST85 (CP200): vers:all/*
Siemens SIPROTEC 5 Compact 7SX800 (CP050): vers:all/*
Siemens SIPROTEC 5 6MD86 (CP300): vers:all/*
Siemens SIPROTEC 5 7SD82 (CP150): vers:all/*
Siemens SIPROTEC 5 7KE85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SL82 (CP100): vers:all/*
Siemens SIPROTEC 5 7SL82 (CP150): vers:all/*
Siemens SIPROTEC 5 7VE85 (CP300): vers:all/*
Siemens SIPROTEC 5 7KE85 (CP200): vers:all/*
Siemens SIPROTEC 5 7SA86 (CP200): vers:all/*
Siemens SIPROTEC 5 7SL87 (CP200): vers:all/*
Siemens SIPROTEC 5 7SY82 (CP150): vers:all/*
Siemens SIPROTEC 5 6MD86 (CP200): vers:all/*
Siemens SIPROTEC 5 7SJ86 (CP200): vers:all/*
Siemens SIPROTEC 5 7SA86 (CP300): vers:all/*
Siemens SIPROTEC 5 7UM85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SS85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SK82 (CP150): vers:all/*
Siemens SIPROTEC 5 7UT82 (CP100): vers:all/*
Siemens SIPROTEC 5 7SS85 (CP200): vers:all/*
Siemens SIPROTEC 5 7SJ85 (CP200): vers:all/*
Siemens SIPROTEC 5 7UT85 (CP200): vers:all/*
Siemens SIPROTEC 5 7SK85 (CP200): vers:all/*
Siemens SIPROTEC 5 7VK87 (CP300): vers:all/*
Siemens SIPROTEC 5 7SJ85 (CP300): vers:all/*
Siemens SIPROTEC 5 7SA82 (CP150): vers:all/*

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

The affected devices do not encrypt certain data within the on-board flash storage on their PCB. This could allow an attacker with physical access to read the entire filesystem of the device.

CVE-2024-53651 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-53651. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Steffen Robertz, Stefan Viehböck, and Constantin Schieber-Knöbl from SEC Consult Vulnerability Lab reported this vulnerability to Siemens.
Siemens then reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

All affected products: Limit physical access to affected devices to trusted personnel.
All affected products: Provision certificates signed by customer PKI as described in https://support.industry.siemens.com/cs/document/109768375.
SIPROTEC 5 6MD85 (CP200), SIPROTEC 5 6MD86 (CP200), SIPROTEC 5 7KE85 (CP200), SIPROTEC 5 7SA86 (CP200), SIPROTEC 5 7SA87 (CP200), SIPROTEC 5 7SD86 (CP200), SIPROTEC 5 7SD87 (CP200), SIPROTEC 5 7SJ85 (CP200), SIPROTEC 5 7SJ86 (CP200), SIPROTEC 5 7SK85 (CP200), SIPROTEC 5 7SL86 (CP200), SIPROTEC 5 7SL87 (CP200), SIPROTEC 5 7SS85 (CP200), SIPROTEC 5 7ST85 (CP200), SIPROTEC 5 7UT85 (CP200), SIPROTEC 5 7UT86 (CP200), SIPROTEC 5 7UT87 (CP200), SIPROTEC 5 7VK87 (CP200): Currently no fix is planned.
SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT82 (CP100), SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300), SIPROTEC 5 Compact 7SX800 (CP050): Currently no fix is available.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-111547 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 13, 2025: Initial Publication