Author: Admin @CloudCentric

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Dingtian
• Equipment: DT-R0 Series
• Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify the device settings and gain administrator access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Dingtian DT-R0 Series are affected:

• DT-R002: Version V3.1.3044A
• DT-R008: Version V3.1.1759A
• DT-R016: Version V3.1.2776A
• DT-R032: Version V3.1.3826A

3.2 Vulnerability Overview

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page.

CVE-2025-1283 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1283. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Cumhur Kizilari (Zeus) reported this vulnerability to CISA.

4. MITIGATIONS

Dingtian has not responded to requests to work with CISA to mitigate this vulnerability, thus no mitigation is available at this time. Users of affected versions of Dingtian DT-R002 are invited to contact Dingtian customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC PCS neo and TIA Administrator
• Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMOCODE ES V19: Versions prior to V19 Update 1
• TIA Administrator: Versions 3.0.4 and prior
• SIMATIC PCS neo V4.1: Versions prior to V4.1 Update 2
• SIMATIC PCS neo V4.0: All versions
• SIRIUS Safety ES V19 (TIA Portal): Versions prior to V19 Update 1
• SIRIUS Soft Starter ES V19 (TIA Portal): Versions prior to V19 Update 1
• SIMATIC PCS neo V5.0: Versions prior to V5.0 Update 1

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT SESSION EXPIRATION CWE-613

Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

CVE-2024-45386 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45386. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Close browser and client after logout and remove all locally stored session tokens
• SIMATIC PCS neo V4.0: Currently no fix is planned
• SIMOCODE ES V19: Update to V19 Update 1 or later version
• SIRIUS Soft Starter ES V19 (TIA Portal): Update to V19 Update 1 or later version
• SIRIUS Safety ES V19 (TIA Portal): Update to V19 Update 1 or later version
• TIA Administrator: Update to V3.0.4 or later version
• SIMATIC PCS neo V4.1: Update to V4.1 Update 2 or later version
• SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-342348 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Outback Power
• Equipment: Mojave Inverter
• Vulnerabilities: Use of GET Request Method With Sensitive Query Strings, Exposure of Sensitive Information to an Unauthorized Actor, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access sensitive data or inject commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Outback Power Mojave Inverter, a system for managing power in a residential grid-connected battery backup system, are affected:

• Outback Power Mojave Inverter: All versions

3.2 VU;NERABILITY OVERVIEW

3.2.1 Use of GET Request Method With Sensitive Query Strings CWE-598

The Mojave Inverter uses the GET method for sensitive information.

CVE-2025-26473 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated forCVE-2025-26473. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

An attacker may modify the URL to discover sensitive information about the target network.

CVE-2025-25281 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated forCVE-2025-25281. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Improper Neutralization of Special Elements used in a Command CWE-77

An attacker may inject commands via specially-crafted post requests.

CVE-2025-24861 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated forCVE-2025-24861. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: United States
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.

4. MITIGATIONS

The Mojave Inverter was a product of Enersys. When Outback Power was split off from Enersys recently, Mojave Inverter was moved to Outback Power, but without the resources to maintain the product. Outback Power may discontinue this product and has not yet addressed these vulnerabilities. CISA recommends disabling the networking features of this product until a replacement product can be acquired.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Disable un-used functions.
• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC
• Vulnerability: Observable Discrepancy

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to identify valid usernames.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following SIMATIC products are affected:

• Siemens SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): vers:all/>=V30.1.0
• Siemens SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-PLCSIM Advanced: vers:all/>=V6.0|<V7.0
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): vers:all/>=V3.1.0|<V3.1.2
• Siemens SIMATIC S7-1500 Software Controller: vers:all/>=V30.1.0

3.2 VULNERABILITY OVERVIEW

3.2.1 OBSERVABLE DISCREPANCY CWE-203

The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames.

CVE-2023-37482 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-37482. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

David Henrique Estevam de Andrade reported this vulnerability to Siemens.
Siemens then reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants), SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0), SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0), SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): Disable HTTP (Port 80/tcp) and provide web service access through HTTPS (Port 443/tcp) only; the vulnerability is considered as only exploitable via HTTP.
• SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants), SIMATIC S7-1500 Software Controller: Currently no fix is available.
• SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0), SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0), SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): Update to V3.1.2 or a later version.
• SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Update to V3.1.2 or later version.
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0), SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0), SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0), SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0), SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Update to V4.7 or a later version.
• SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0), SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0), SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0), SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Update to V4.7 or a later version.
• SIMATIC S7-PLCSIM Advanced: Update to V7.0 or a later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-195895 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.6
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: ORing
• Equipment: IAP-20
• Vulnerabilities: Cross-site Scripting, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to invoke commands to compromise the device via the management interface.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following ORing products are affected:

• IAP-420: Versions 2.01e and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A stored cross-site scripting can be triggered by placing JavaScript code into the SSID input field of the web interface. An attacker could exploit this vulnerability by luring an authenticated user to visit a malicious website.

CVE-2024-5410 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5410. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The filename parameter of a configuration file upload is prone to a command injection vulnerability. This vulnerability can only be exploited if a user is authenticated to the web interface. An attacker could invoke commands and gain full control over the device.

CVE-2024-5411 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5411. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

CISA discovered public proof of concept (PoC) as authored by Thomas Weber of CyberDanube and reported it to ORing.

4. MITIGATIONS

ORing is aware of the vulnerabilities and is working to produce a fix. For more information, contact ORing directly.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Teamcenter
• Vulnerability: URL Redirection to Untrusted Site (‘Open Redirect’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to redirect the legitimate user to an attacker-controlled URL to steal valid session data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Teamcenter: All versions prior to V14.3.0.0

3.2 VULNERABILITY OVERVIEW

3.2.1 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

The SSO login service of affected applications accepts user-controlled input that could specify a link to an external site. This could allow an attacker to redirect the legitimate user to an attacker-controlled URL to steal valid session data. For a successful exploit, the legitimate user must actively click on an attacker-crafted link.

CVE-2025-23363 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Nicolo Vinci reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Teamcenter: Do not click on links from untrusted sources
• Teamcenter: Update to V14.3.0.0 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-656895 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC S7-1200 CPU Family
• Vulnerabilities: Improper Resource Shutdown or Release, Improper Validation of Syntactic Correctness of Input

2. RISK EVALUATION

The affected devices do not correctly process certain special crafted packets sent to Port 80/tcp and Port 102/tcp, which could allow an attacker to cause a denial of service in the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): vers:all/<V4.7

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

The affected devices do not correctly process certain special crafted packets sent to Port 80/tcp, which could allow an unauthenticated attacker to cause a denial of service in the device.

CVE-2025-24811 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24811. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286

The affected devices do not correctly process certain special crafted packets sent to Port 102/tcp, which could allow an attacker to cause a denial of service in the device.

CVE-2025-24812 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24812. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Gao Jian coordinated the disclosure of CVE-2025-24812 with Siemens.
Siemens then reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0), SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0), SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0), SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0), SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Update to V4.7 or a later version.
• SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0), SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0), SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0), SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Update to V4.7 or a later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-224824 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIPROTEC 5 Devices
• Vulnerability: Use of Default Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to retrieve sensitive information of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SIPROTEC 5 7VE85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SS85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2): All versions prior to V9.90
• Siemens SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2): All versions prior to V9.90
• Siemens SIPROTEC 5 7UT82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7UT85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MD84 (CP300): All versions prior to V9.90
• Siemens SIPROTEC 5 7SJ82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SL86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7KE85 (CP300): Versions later than and including V8.80
• Siemens SIPROTEC 5 7SJ86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MD86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SX82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SL87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SA82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SL82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SJ85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7ST85 (CP300): Versions later than and including V8.80
• Siemens SIPROTEC 5 7ST86 (CP300): All versions
• Siemens SIPROTEC 5 7SD82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SK85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 Compact 7SX800 (CP050): Version V9.50 up to but not including V9.90
• Siemens SIPROTEC 5 6MD85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MU85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SK82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SA87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7VK87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7VU85 (CP300): All versions prior to V9.90
• Siemens SIPROTEC 5 7SA86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SD87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 Communication Module ETH-BD-2FO: Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MD89 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7UM85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SJ81 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7UT86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SX85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7UT87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SY82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SD86 (CP300): Version V8.80 up to but not including V9.90

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF DEFAULT CREDENTIALS CWE-1392

Affected devices do not properly validate SNMP GET requests. This could allow an unauthenticated, remote attacker to retrieve sensitive information of the affected devices with SNMPv2 GET requests using default credentials.

CVE-2024-54015 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-54015. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Restrict access to port 161/udp to trusted IP addresses only.
• All affected products: Disable the SNMP service running in the communication modules, if not used.
• SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300): Currently no fix is available.
• SIPROTEC 5 Compact 7SX800 (CP050): Update to V9.90 or later version.
• SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UT82 (CP150): Update to V9.90 or later version.
• SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300): Update to V9.90 or later version.
• SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2), SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2), SIPROTEC 5 Communication Module ETH-BD-2FO: Update to V9.90 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-767615 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.1
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: SIPROTEC 5
• Vulnerability: Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with physical access to read the sensitive information from the filesystem of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens SIPROTEC 5 7SK85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ81 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SL86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SL86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SJ86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SK82 (CP100): vers:all/*
• Siemens SIPROTEC 5 6MD84 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SA87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7ST85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7UT87 (CP300): vers:all/*
• Siemens SIPROTEC 5 6MD89 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD82 (CP100): vers:all/*
• Siemens SIPROTEC 5 6MD85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7ST86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7UT86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SX85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD87 (CP300): vers:all/*
• Siemens SIPROTEC 5 7VU85 (CP300): vers:all/*
• Siemens SIPROTEC 5 6MU85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7UT86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7VK87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7UT85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7UT82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7SA87 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ81 (CP150): vers:all/*
• Siemens SIPROTEC 5 7SJ82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SA82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7UT87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SX82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7SD86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SL87 (CP300): vers:all/*
• Siemens SIPROTEC 5 6MD85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7ST85 (CP200): vers:all/*
• Siemens SIPROTEC 5 Compact 7SX800 (CP050): vers:all/*
• Siemens SIPROTEC 5 6MD86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7KE85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SL82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SL82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7VE85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7KE85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SA86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SL87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SY82 (CP150): vers:all/*
• Siemens SIPROTEC 5 6MD86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SJ86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SA86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7UM85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SS85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SK82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7UT82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SS85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SJ85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7UT85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SK85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7VK87 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SA82 (CP150): vers:all/*

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

The affected devices do not encrypt certain data within the on-board flash storage on their PCB. This could allow an attacker with physical access to read the entire filesystem of the device.

CVE-2024-53651 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-53651. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Steffen Robertz, Stefan Viehböck, and Constantin Schieber-Knöbl from SEC Consult Vulnerability Lab reported this vulnerability to Siemens.
Siemens then reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Limit physical access to affected devices to trusted personnel.
• All affected products: Provision certificates signed by customer PKI as described in https://support.industry.siemens.com/cs/document/109768375.
• SIPROTEC 5 6MD85 (CP200), SIPROTEC 5 6MD86 (CP200), SIPROTEC 5 7KE85 (CP200), SIPROTEC 5 7SA86 (CP200), SIPROTEC 5 7SA87 (CP200), SIPROTEC 5 7SD86 (CP200), SIPROTEC 5 7SD87 (CP200), SIPROTEC 5 7SJ85 (CP200), SIPROTEC 5 7SJ86 (CP200), SIPROTEC 5 7SK85 (CP200), SIPROTEC 5 7SL86 (CP200), SIPROTEC 5 7SL87 (CP200), SIPROTEC 5 7SS85 (CP200), SIPROTEC 5 7ST85 (CP200), SIPROTEC 5 7UT85 (CP200), SIPROTEC 5 7UT86 (CP200), SIPROTEC 5 7UT87 (CP200), SIPROTEC 5 7VK87 (CP200): Currently no fix is planned.
• SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT82 (CP100), SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300), SIPROTEC 5 Compact 7SX800 (CP050): Currently no fix is available.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-111547 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Opcenter Intelligence
• Vulnerabilities: Improper Authentication, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Deserialization of Untrusted Data, Insertion of Sensitive Information into Log File, Server-Side Request Forgery (SSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could enable an attacker to execute remote code or allow a malicious site administrator to change passwords for users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Opcenter Intelligence: All versions prior to V2501

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER AUTHENTICATION CWE-287

Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server users using Local Identity Store for managing users. The vulnerability allows a malicious site administrator to change passwords for users in different sites hosted on the same Tableau Server, resulting in the potential for unauthorized access to data. Tableau Server versions affected are: 2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.4 and earlier. All future releases of Tableau Server will address this security issue. Versions that are no longer supported are not tested and may be vulnerable.

CVE-2022-22127 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2022-22127. A base score of 7.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s internal file transfer service that could allow remote code execution. Tableau only supports product versions for 24 months after release. Older versions have reached their end of life and are no longer supported. They are also not assessed for potential security issues and do not receive security updates.

CVE-2022-22128 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-22128. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The Java OpenWire protocol marshaller is vulnerable to remote code execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. For Opcenter Intelligence: On November 2, 2023, Apache announced the discovery of CVE-2023-46604, a remote code execution (RCE) vulnerability impacting Apache ActiveMQ clients. As a result of this issue, a remote threat actor with network access to either a Java-based OpenWire broker or client could execute code remotely to run arbitrary shell commands.

CVE-2023-46604 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-46604. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532

Personal access token disclosure vulnerability in Tableau Server. For details see Salesforce knowledge article id 000390611.

CVE-2025-26490 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-26490. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Server-side request forgery (SSRF) vulnerability in Tableau Server. For details see Salesforce knowledge article id 001534936.

CVE-2025-26491 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-26491. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends Opcenter Intelligence users update to V2501 or later version and install the latest available version of Tableau Server as described in https://support.sw.siemens.com/knowledge-base/PL8822108.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-246355 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication