Publication Date:
Last Update:
Current Version: V1.9
CVSS v3.1 Base Score: 7.5
Affected Product and Versions Remediation

All versions

All versions < V2.7

All versions < V15.1 Upd 4
Update to V15.1 Upd4 or later version

All versions < V15.1 Upd 4
Update to V15.1 Upd4 or later version

All versions < V15.1 Upd 4
Update to V15.1 Upd4 or later version

All versions < V5.1.3

All versions

All versions < V14 SP1 Update 14
Update to V14 SP1 Update 14 or later version

All versions

All versions < V1.1.0

All versions < V3.2.1

All versions >= V2.5 < V2.6.1

All versions between V2.5 (including) and V2.7 (excluding)

All versions < V3.15 P018

All versions < V15.1 Upd 4
Update to V15.1 Upd 4 or later version

All versions < V1.0 SP1

All versions < V14 SP2

All versions < V2.1

All versions < V3.1.1
  • Deactivate the OPC UA Service if supported by the product
  • Use VPN for protecting network communication between cells

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

CVSS v3.1 Base Score 7.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE CWE-248: Uncaught Exception

  • Artem Zinenko from Kaspersky for pointing out that SIPLUS should also be mentioned

https://www.siemens.com/cert/advisories

V1.0 (2019-04-09): Publication Date
V1.1 (2019-05-14): Clarify productnames for SIMATIC HMI Products, added solution for SIMATIC S7-1500 CPU family, modified affected versions for SIMATIC Net PC Software
V1.2 (2019-06-11): Added update for SIMATIC Software Controller and SIMATIC ET 200 SP Open Controller CPU 1515SP PC2
V1.3 (2019-07-09): Added update for SIMATIC RF600R, SIMATIC RF188C and SINEMA Server
V1.4 (2020-01-14): Added updates for SIMATIC Panels and SIMATIC WinCC Runtime Advanced. SIPLUS devices now explicitly mentioned in the list of affected products
V1.5 (2020-02-11): Added updates for SIMATIC NET PC Software
V1.6 (2020-03-10): Added updates for SIMATIC IPC DiagMonitor and SINEC
V1.7 (2022-02-08): No remediation planned for SIMATIC CP 443-1 OPC UA
V1.8 (2022-04-12): Added solution for SIMATIC NET PC Software V14 and clarified affected versions; no remediation planned for V15
V1.9 (2022-08-09): Added fix for TeleControl Server Basic